Sherlock contest - hack3r-0m's results

Decentralized exploit protection.

General Information

Platform: Code4rena

Start Date: 20/01/2022

Pot Size: $80,000 USDC

Total HM: 5

Participants: 37

Period: 7 days

Judge: Jack the Pug

Total Solo HM: 1

Id: 76

League: ETH

Sherlock

Findings Distribution

Researcher Performance

Rank: 11/37

Findings: 1

Award: $1,972.28

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Sherlock

Findings Information

🌟 Selected for report: hyh

Also found by: GreyArt, hack3r-0m

Labels

bug

duplicate

2 (Med Risk)

Awards

1972.2849 USDC - $1,972.28

External Links

Link to GitHub issue

Handle

hack3r-0m

Vulnerability details

https://github.com/code-423n4/2022-01-sherlock/blob/main/contracts/Sherlock.sol#L673

when intialStake is called, it mints the nft, and on before transfer hook, addressShares[msg.sender] is credited with minted shares

when redeemNFT is called, it burns the nft, and on before transfer hook, addressShares[msg.sender] is subtracted with burned shares.

while on arbRestake, some fraction of stakeShare is redeemed by arb but as there is no token transfer, that fraction is not deducted from addressShares of the owner hence resulting in improper amount and miscalculation in accounting.

until the owner does not call redeemNFT, correct calculation is not updated.

Tools Used

Manual Review

Recommended Mitigation Steps

update addessShare of the owner on arbRestake

#0 - Evert0x
2022-02-09T17:44:10Z

#109

Sherlock contest - hack3r-0m's results

Decentralized exploit protection.

General Information

Findings Distribution

Researcher Performance

External Links

[M-02] addressShare is not updated on arbRestake - $1,972.28

Findings Information

Labels

Awards

External Links

Handle

Vulnerability details

Tools Used

Recommended Mitigation Steps

#0 - Evert0x2022-02-09T17:44:10Z

#0 - Evert0x
2022-02-09T17:44:10Z