Back to cryptphi's contests

ENS contest - cryptphi's results

Decentralised naming for wallets, websites, & more.

General Information

Platform: Code4rena

Start Date: 12/07/2022

Pot Size: $75,000 USDC

Total HM: 16

Participants: 100

Period: 7 days

Judge: LSDan

Total Solo HM: 7

Id: 145

League: ETH

ENS

Findings Distribution

Researcher Performance

Rank: 12/100

Findings: 3

Award: $1,223.05

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryENS

Findings Information

🌟 Selected for report: panprog

Also found by: Aussie_Battlers, brgltd, cryptphi, peritoflores, wastewa

Labels

bug
duplicate
3 (High Risk)

Awards

1138.7337 USDC - $1,138.73

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-07-ens/blob/main/contracts/wrapper/NameWrapper.sol#L813 https://github.com/code-423n4/2022-07-ens/blob/main/contracts/wrapper/NameWrapper.sol#L524 https://github.com/code-423n4/2022-07-ens/blob/main/contracts/wrapper/NameWrapper.sol#L572

Vulnerability details

Impact

When calling the internal function _transferAndBurnFuses() in NameWrapper.setSubnodeOwner() or NameWrapper.setSubnodeRecord() , ERC1155Fuse._transfer() is called before _setFuses() which creates a reentrancy opportunity when newOwner is a contract, which may allow a contract to onERC1155Received callback into the NameWrapper contract after receiving the token.

The attacker contract could, on the callback, call a function with attacker controlled fuses input which eventually sets the fuses to uint32 other than 0.

Tools Used

Manual review

The _setFuses() call in line 821 could come before the _transfer() call

_setFuses(node, owner, fuses, expiry);
_transfer(owner, newOwner, uint256(node), 1, "");

The _transfer() already calls internal function _setData in ERC1155Fuse contract.

#0 - sseefried

2022-07-20T00:29:17Z

Duplicate of #124

#1 - dmvt

2022-08-03T13:15:40Z

Duplicate of #84

Findings Information

🌟 Selected for report: rajatbeladiya

Also found by: 0x29A, 0xNineDec, Amithuddar, Aussie_Battlers, Ch_301, Dravee, GimelSec, IllIllI, Jujic, Limbooo, RedOneN, Ruhum, TomJ, _Adam, __141345__, alan724, asutorufos, berndartmueller, c3phas, cccz, cryptphi, durianSausage, fatherOfBlocks, hake, hyh, pashov, scaraven, zzzitron

Awards

5.45 USDC - $5.45

Labels

bug
duplicate
2 (Med Risk)

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-07-ens/blob/main/contracts/ethregistrar/ETHRegistrarController.sol#L183 https://github.com/code-423n4/2022-07-ens/blob/main/contracts/ethregistrar/ETHRegistrarController.sol#L204 https://github.com/code-423n4/2022-07-ens/blob/main/contracts/ethregistrar/ETHRegistrarController.sol#L211

Vulnerability details

Impact

The use of the deprecated transfer() function for an address will inevitably make the transaction fail when the caller is a smart contract and:

  1. Does not implement a payable function.
  2. Implements a payable fallback which uses more than 2300 gas unit.
  3. Implements a payable fallback function that needs less than 2300 gas units but is called through proxy, raising the call's gas usage above 2300.

Additionally, using higher than 2300 gas might be mandatory for some multisig wallets.

Proof of Concept

https://github.com/code-423n4/2022-07-ens/blob/main/contracts/ethregistrar/ETHRegistrarController.sol#L183 https://github.com/code-423n4/2022-07-ens/blob/main/contracts/ethregistrar/ETHRegistrarController.sol#L204 https://github.com/code-423n4/2022-07-ens/blob/main/contracts/ethregistrar/ETHRegistrarController.sol#L211

Tools Used

Manual review

using call() instead of transfer() is recommended as suggested in https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/

#0 - jefflau

2022-07-22T09:51:55Z

Duplicate of #133

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0x29A, 0xDjango, 0xNazgul, 0xNineDec, 0xf15ers, 8olidity, Aussie_Battlers, Bnke0x0, Ch_301, Critical, Deivitto, Dravee, ElKu, Funen, GimelSec, JC, JohnSmith, Lambda, MiloTruck, PwnedNoMore, ReyAdmirado, Rohan16, Rolezn, Ruhum, RustyRabbit, Sm4rty, TomJ, Waze, _Adam, __141345__, alan724, asutorufos, benbaessler, berndartmueller, bin2chen, brgltd, bulej93, c3phas, cRat1st0s, cryptonue, cryptphi, csanuragjain, delfin454000, dxdv, exd0tpy, fatherOfBlocks, gogo, hake, hyh, joestakey, kyteg, lcfr_eth, minhtrng, p_crypt0, pashov, pedr02b2, philogy, rajatbeladiya, rbserver, rishabh, robee, rokinot, sach1r0, sashik_eth, seyni, simon135, svskaushik, zuhaibmohd, zzzitron

Awards

78.8739 USDC - $78.87

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue
  1. Missing zero address check The following functions are missing a zero address check, which may cause ownership to become address(0).

**Occurrences in: Owned.setOwner() - https://github.com/code-423n4/2022-07-ens/blob/main/contracts/dnssec-oracle/Owned.sol#L18-L20 NameWrapper.setRecord() - https://github.com/code-423n4/2022-07-ens/blob/main/contracts/wrapper/NameWrapper.sol#L600 NameWrapper.setSubnodeOwner() (affected by _transferAndBurnFuses()) - https://github.com/code-423n4/2022-07-ens/blob/main/contracts/wrapper/NameWrapper.sol#L524 NameWrapper.setSubnodeRecord() (affected by _transferAndBurnFuses()) - https://github.com/code-423n4/2022-07-ens/blob/main/contracts/wrapper/NameWrapper.sol#L572 NameWrapper. _transferAndBurnFuses() - https://github.com/code-423n4/2022-07-ens/blob/main/contracts/wrapper/NameWrapper.sol#L820

  1. Missing events and emit

The following functions are missing emits and/or events for their operations which could be useful in third-party monitoring.

Owned.setOwner() - https://github.com/code-423n4/2022-07-ens/blob/main/contracts/dnssec-oracle/Owned.sol#L18-L20

  1. Return values are ignored

buf.init() , buf.append() in DNSSECImpl.verifyKeyWithDS() return values but are ignored.

https://github.com/code-423n4/2022-07-ens/blob/main/contracts/dnssec-oracle/DNSSECImpl.sol#L318-L320

  1. Built-in symbol shadowing

local variable now shadows built-in symbol now in DNSSECImpl.verifyRRSet() and DNSSECImpl.validateSignedSet() -

https://github.com/code-423n4/2022-07-ens/blob/main/contracts/dnssec-oracle/DNSSECImpl.sol#L110

DNSSEC.verifyRRSet() - https://github.com/code-423n4/2022-07-ens/blob/main/contracts/dnssec-oracle/DNSSEC.sol#L18

  1. Public function can be internal function instead

ETHRegistrarController.makeCommitment()

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter