Platform: Code4rena
Start Date: 18/10/2022
Pot Size: $75,000 USDC
Total HM: 27
Participants: 144
Period: 7 days
Judge: gzeon
Total Solo HM: 13
Id: 170
League: ETH
Rank: 25/144
Findings: 2
Award: $351.52
🌟 Selected for report: 0
🚀 Solo Findings: 0
https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/HolographBridge.sol#L274-L282 https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/HolographOperator.sol#L593 https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/module/LayerZeroModule.sol#L293
When a user creates a beam request for a destination chain, the user can input zero as a value for gasLimit. With this, the user is able to make the request without paying any fees to Hologram since messagingModule.getHlgFee(toChain, gasLimit, gasPrice); would return 0 in https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/HolographOperator.sol#L593
hlgFee returns 0 in the call to getHlgFee() in the messagingmodule contract https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/module/LayerZeroModule.sol#L293msg.value without any deductible fees.hToken contract.Manual review
Add a zero value check.
#0 - gzeoneth
2022-10-31T13:20:57Z
Duplicate of #294
🌟 Selected for report: Rolezn
Also found by: 0x1f8b, 0x52, 0x5rings, 0xNazgul, 0xSmartContract, 0xZaharina, 0xhunter, 0xzh, 8olidity, Amithuddar, Aymen0909, B2, Bnke0x0, Chom, Deivitto, Diana, Diraco, Dravee, Franfran, JC, Jeiwan, Josiah, JrNet, Jujic, KingNFT, KoKo, Lambda, Margaret, Migue, Ocean_Sky, PaludoX0, Picodes, Rahoz, RaoulSchaffranek, RaymondFam, RedOneN, ReyAdmirado, Shinchan, Tagir2003, Trust, Waze, Yiko, __141345__, a12jmx, adriro, ajtra, arcoun, aysha, ballx, bin2chen, bobirichman, brgltd, bulej93, catchup, catwhiskeys, caventa, cccz, cdahlheimer, ch0bu, chaduke, chrisdior4, cloudjunky, cryptostellar5, cryptphi, csanuragjain, cylzxje, d3e4, delfin454000, djxploit, durianSausage, erictee, fatherOfBlocks, francoHacker, gianganhnguyen, gogo, hansfriese, i_got_hacked, ignacio, imare, karanctf, kv, leosathya, louhk, lukris02, lyncurion, m_Rassska, malinariy, martin, mcwildy, mics, minhtrng, nicobevi, oyc_109, pashov, peanuts, pedr02b2, peiw, rbserver, ret2basic, rotcivegaf, rvierdiiev, ryshaw, sakman, sakshamguruji, saneryee, securerodd, seyni, sikorico, svskaushik, teawaterwire, tnevler, w0Lfrum
0 USDC - $0.00
https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/HolographOperator.sol#L596 https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/enforcer/PA1D.sol#L396
The use of the deprecated transfer() function for an address will inevitably make the transaction fail when the caller is a smart contract and:
1. Does not implement a payable function. 2. Implements a payable fallback which uses more than 2300 gas unit. 3. Implements a payable fallback function that needs less than 2300 gas units but is called through proxy, raising the call's gas usage above 2300.
Additionally, using higher than 2300 gas might be mandatory for some multisig wallets.
https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/HolographOperator.sol#L596 https://github.com/code-423n4/2022-10-holograph/blob/main/contracts/enforcer/PA1D.sol#L396
Manual review
using call() instead of transfer() is recommended as suggested in https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/
#0 - gzeoneth
2022-10-28T09:23:29Z
Duplicate of #33
#1 - gzeoneth
2022-11-21T07:20:50Z
As QA report