Platform: Code4rena
Start Date: 08/11/2022
Pot Size: $60,500 USDC
Total HM: 6
Participants: 72
Period: 5 days
Judge: Picodes
Total Solo HM: 2
Id: 178
League: ETH
Rank: 58/72
Findings: 1
Award: $36.34
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: RaymondFam
Also found by: 0x1f8b, 0x52, 0xSmartContract, 0xc0ffEE, 0xhacksmithh, 8olidity, Awesome, BClabs, Bnke0x0, Chom, Deivitto, Hashlock, IllIllI, Josiah, KingNFT, Nyx, R2, ReyAdmirado, Rolezn, SamGMK, Sathish9098, SinceJuly, V_B, Vadis, Waze, a12jmx, adriro, ajtra, aphak5010, bearonbike, bin, brgltd, carlitox477, carrotsmuggler, cccz, ch0bu, chaduke, datapunk, delfin454000, erictee, fatherOfBlocks, fs0c, horsefacts, jayphbee, ktg, ladboy233, pashov, perseverancesuccess, rbserver, ret2basic, tnevler, zaskoh
36.3434 USDC - $36.34
ecrecover is susceptible to signature malleabilityThe ecrecover function is used to recover the address from the signature. The built-in EVM precompile ecrecover is susceptible to signature malleability which could lead to replay attacks (references: https://swcregistry.io/docs/SWC-117, https://swcregistry.io/docs/SWC-121 and https://medium.com/cryptronics/signature-replay-vulnerabilities-in-smart-contracts-3b6f7596df57).
Consider using OpenZeppelin’s ECDSA library (which prevents this malleability) instead of the built-in function.
contracts/SignatureChecker.sol:L60 signer = ecrecover(hash, v, r, s);
While floating pragmas make sense for libraries to allow them to be included with multiple different versions of applications, it may be a security risk for application implementations.
A known vulnerable compiler version may accidentally be selected or security tools might fall-back to an older compiler version ending up checking a different EVM compilation that is ultimately deployed on the blockchain.
It is recommended to pin to a concrete compiler version.
contracts/SignatureChecker.sol:L2 pragma solidity ^0.8.14; contracts/OwnableTwoSteps.sol:L2 pragma solidity ^0.8.14; contracts/ReentrancyGuard.sol:L2 pragma solidity ^0.8.14; contracts/lowLevelCallers/LowLevelETH.sol:L2 pragma solidity ^0.8.14; contracts/lowLevelCallers/LowLevelERC20Transfer.sol:L4 pragma solidity ^0.8.14; contracts/lowLevelCallers/LowLevelERC1155Transfer.sol:L2 pragma solidity ^0.8.14; contracts/lowLevelCallers/LowLevelERC721Transfer.sol:L2 pragma solidity ^0.8.14; contracts/lowLevelCallers/LowLevelERC20Approve.sol:L2 pragma solidity ^0.8.14; contracts/interfaces/IERC721.sol:L2 pragma solidity ^0.8.0; contracts/interfaces/IERC1155.sol:L2 pragma solidity ^0.8.0; contracts/interfaces/IERC20.sol:L2 pragma solidity ^0.8.0;
Zero-address checks are a best practice for input validation of critical address parameters. Accidental use of zero-addresses may result in exceptions, burn fees/tokens, or force redeployment of contracts.
https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/ERC20EnabledLooksRareAggregator.sol#L22 https://github.com/code-423n4/2022-11-looksrare/blob/main/contracts/proxies/LooksRareProxy.sol#L38-L39
#0 - c4-judge
2022-11-21T19:36:12Z
Picodes marked the issue as grade-b
#1 - 0xhiroshi
2022-11-24T12:36:42Z
All addressed in other issues
#2 - c4-sponsor
2022-11-24T12:36:46Z
0xhiroshi requested judge review