Back to dic0de's contests

Forgeries contest - dic0de's results

A protocol for on-chain games with NFT prizes on Ethereum.

General Information

Platform: Code4rena

Start Date: 13/12/2022

Pot Size: $36,500 USDC

Total HM: 5

Participants: 77

Period: 3 days

Judge: gzeon

Total Solo HM: 1

Id: 191

League: ETH

Forgeries

Findings Distribution

Researcher Performance

Rank: 67/77

Findings: 1

Award: $19.22

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryForgeries

Findings Information

🌟 Selected for report: Soosh

Also found by: 9svR6w, Apocalypto, Ch_301, HE1M, Koolex, SmartSek, Titi, Trust, Zarf, bin2chen, btk, carrotsmuggler, csanuragjain, dic0de, dipp, gz627, hansfriese, hihen, imare, immeas, indijanc, jadezti, kuldeep, ladboy233, maks, neumo, obront, rvierdiiev, sces60107, sk8erboy

Awards

19.2206 USDC - $19.22

Labels

bug
3 (High Risk)
satisfactory
duplicate-146

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-12-forgeries/blob/fc271cf20c05ce857d967728edfb368c58881d85/src/VRFNFTRandomDraw.sol#L203-L225 https://github.com/code-423n4/2022-12-forgeries/blob/fc271cf20c05ce857d967728edfb368c58881d85/src/VRFNFTRandomDraw.sol#L141-L168

Vulnerability details

Impact

The contract allows for the owner to redraw () the contest in cases where the winner has not yet claimed the NFT within the specified timelines. This is possible via the redraw () function as shown here: https://github.com/code-423n4/2022-12-forgeries/blob/fc271cf20c05ce857d967728edfb368c58881d85/src/VRFNFTRandomDraw.sol#L203-L225.

The redraw () function checks that the drawTimelock is passed then deletes the request and calls _requestRoll () function. The _requestRoll () function only updates the request.drawTimelock as seen here: https://github.com/code-423n4/2022-12-forgeries/blob/fc271cf20c05ce857d967728edfb368c58881d85/src/VRFNFTRandomDraw.sol#L141-L169.

The recoverTimelock is not updated at all. Therefore, it is very possible that the redraw process updates the .drawBufferTime to be higher than the recoverTimeLock allowing the owner to withdraw the NFT before the redrawal period is finished.

SCENARIO

  1. The contract is initialized and the _settings.drawBufferTime is set to 3 weeks and the _settings.recoverTimelock is set to 1 month.
  2. After 3 weeks, the NFT is not claimed and the owner calls the redraw () function which would update the drawTimelock for further 3 weeks.
  3. After a month which is 4 weeks, the _settings.recoverTimelock period would have elapsed and the owner can now call the lastResortTimelockOwnerClaimNFT() .
  4. When the owner recovers the NFT via the lastResortTimelockOwnerClaimNFT() it will transfer the NFT to them.

Therefore, the contest cannot be redrawn again, neither can the winner claim their NFT. This would mean that the contest can never end.

Proof of Concept

  1. https://github.com/code-423n4/2022-12-forgeries/blob/fc271cf20c05ce857d967728edfb368c58881d85/src/VRFNFTRandomDraw.sol#L203-L225.
  2. https://github.com/code-423n4/2022-12-forgeries/blob/fc271cf20c05ce857d967728edfb368c58881d85/src/VRFNFTRandomDraw.sol#L141-L169
  3. https://github.com/code-423n4/2022-12-forgeries/blob/fc271cf20c05ce857d967728edfb368c58881d85/src/VRFNFTRandomDraw.sol#L304-L320

Tools Used

Consider updating the recoveryTImelock during redraw

#0 - c4-judge

2022-12-17T13:02:15Z

gzeon-c4 marked the issue as duplicate of #146

#1 - c4-judge

2022-12-17T13:02:19Z

gzeon-c4 marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter