Platform: Code4rena
Start Date: 01/08/2023
Pot Size: $91,500 USDC
Total HM: 14
Participants: 80
Period: 6 days
Judge: gzeon
Total Solo HM: 6
Id: 269
League: ETH
Rank: 51/80
Findings: 2
Award: $28.23
π Selected for report: 0
π Solo Findings: 0
π Selected for report: dd0x7e8
Also found by: Bughunter101, Fulum, Kaysoft, MatricksDeCoder, SanketKogekar, Sathish9098, T1MOH, Udsen, debo, fatherOfBlocks, grearlake, hpsb, j4ld1na, josephdara, parsely, pep7siup, piyushshukla, ravikiranweb3, shirochan
12.8772 USDC - $12.88
https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/helper/V3Proxy.sol#L156 https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/helper/V3Proxy.sol#L174 https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/helper/V3Proxy.sol#L192
The functions do not check the return value of low-level calls. This can lock Ether in the contract if the call fails or may compromise the contract if the ownership is being changed. The following calls were detected without return value validations - call
Check both the links: https://swcregistry.io/docs/SWC-104/ https://coinsbench.com/unchecked-return-value-in-smart-contracts-providing-an-attack-surface-dab2eed64251#:~:text=When%20the%20return%20value%20of,be%20executed%20causing%20unexpected%20behavior.
Manual Review
Ensure return value is checked using conditional statements for low-level calls. We should also ensure that we log failed calls using events.
call/delegatecall
#0 - c4-pre-sort
2023-08-08T15:03:10Z
141345 marked the issue as low quality report
#1 - c4-pre-sort
2023-08-09T01:51:53Z
141345 marked the issue as primary issue
#2 - c4-pre-sort
2023-08-10T06:02:55Z
141345 marked the issue as duplicate of #83
#3 - c4-judge
2023-08-20T17:11:35Z
gzeon-c4 marked the issue as satisfactory
π Selected for report: Team_FliBit
Also found by: 0x70C9, 3docSec, 8olidity, DavidGiladi, Krace, LokiThe5th, Rolezn, Sathish9098, UniversalCrypto, banpaleo5, catellatech, digitizeworx, fatherOfBlocks, hpsb, j4ld1na, josephdara, kutugu, niser93, nonseodion, oakcobalt, osmanozdemir1, pep7siup, ravikiranweb3, said, sivanesh_808
15.3494 USDC - $15.35
https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/TokenisableRange.sol#L228 https://github.com/code-423n4/2023-08-goodentry/blob/71c0c0eca8af957202ccdbf5ce2f2a514ffe2e24/contracts/TokenisableRange.sol#L229
Some tokens do not revert the transaction when the transfer or transferFrom fails and returns False. Hence we must check the return value after calling the transfer or transferFrom function.
Check the last answer here:
https://ethereum.stackexchange.com/questions/136039/what-is-best-practice-for-transferfrom-out-of-these-two-ways
In short:
So using token.transferFrom(msg.sender, addr, amount); is NOT enough. The risk is that you're assuming the transfer was successful when actually it wasn't. Example of tokens that don't revert: ZRX, HT, WOO.
The safest method is using this:
(bool success, bytes memory data) = address(token).call(abi.encodeWithSelector(token.transferFrom.selector, from, to, value)); require(success && (data.length == 0 || abi.decode(data, (bool))), 'token transfer from sender failed');
This is the one used by Openzeppelin's SafeERC20 library.
Manual Report
Use OpenZeppelin SafeERC20's safetransfer and safetransferFrom functions.
Token-Transfer
#0 - 141345
2023-08-08T15:01:05Z
QA might be more appropriate.
not enough balance, deposit() will fail.
bot race missed instance.
#1 - c4-sponsor
2023-08-15T01:13:31Z
Keref marked the issue as sponsor confirmed
#2 - c4-sponsor
2023-08-15T01:13:35Z
Keref marked the issue as disagree with severity
#3 - Keref
2023-08-18T03:07:57Z
See PR#7
#4 - c4-judge
2023-08-19T15:33:41Z
gzeon-c4 changed the severity to QA (Quality Assurance)
#5 - c4-judge
2023-08-20T16:41:07Z
gzeon-c4 marked the issue as grade-b