Platform: Code4rena
Start Date: 10/06/2021
Pot Size: $45,000 USDC
Total HM: 21
Participants: 12
Period: 7 days
Judge: LSDan
Total Solo HM: 13
Id: 13
League: ETH
Rank: 8/12
Findings: 3
Award: $585.97
🌟 Selected for report: 2
🚀 Solo Findings: 0
🌟 Selected for report: maplesyrup
Also found by: heiho1
heiho1
RCMarket overrides NativeMetaTransaction which declares payable executeMetaTransaction ---- This function accepts a functionSignature and calls the function from the userAddress ---- This appears to be a possible attack vector
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
This function is payable but the the encoded function invocation is arbitrary. This could potentially lead to locked ether as there is no clear withdrawal semantics.
Slither
If there is no clear reason for the method to be payable then it should not be made payable. If there is a reason then a withdrawal mechanism should be supported, i.e.
https://docs.soliditylang.org/en/v0.5.3/solidity-by-example.html#safe-remote-purchase
#0 - Splidge
2021-06-15T08:57:41Z
Duplicate of #43
#1 - dmvt
2021-07-11T11:02:10Z
duplicate of #43
🌟 Selected for report: heiho1
0 USDC - $0.00
heiho1
RCMarket#tokenURI(uint256) is declared external in the IRCMarket interface but is declared public in the RCMarket implementation. This is inconsistent and affect the gas behavior of the function: https://gus-tavo-guim.medium.com/public-vs-external-functions-in-solidity-b46bcf0ba3ac
Slither
Mark the implementation method as external.
#0 - Splidge
2021-06-14T13:39:42Z
I believe this to only be a Gas optimization problem as suggested in the impact and so the severity should be reduced.
#1 - Splidge
2021-06-21T10:03:10Z
fixed here
#2 - dmvt
2021-07-10T16:26:31Z
I agree... I fail to see the risk and the warden has not provided reasoning for making this medium. Downgrading to G
0 USDC - $0.00
heiho1
RCMarket#initialize(uint256,uint32[],uint256,uint256,address,address,address[],address,string) has a potentially expensive loop that modifies state continually over an indeterminate number of cards.
Slither
Potentially a gas-expensive loop because of arbitrary length of _cardAffiliateAddresses possibly assigning to state variable cardAffiliateCut multiple times.
#0 - Splidge
2021-06-21T10:02:42Z
implemented here
0 USDC - $0.00
heiho1
RCMarket#_realitioAddress is never initialized and is public. This is intended to be an oracle address but the realition oracle is assigned alternatively. As it is unused and public it should either be removed or made functional.
Slither
Removed unused addresses.
#0 - Splidge
2021-06-14T13:37:16Z
Duplicate of #7
#1 - dmvt
2021-07-09T13:39:44Z
duplicate of #7
#2 - dmvt
2021-07-09T13:39:56Z
Agree that there is no risk here.