Platform: Code4rena
Start Date: 13/12/2022
Pot Size: $36,500 USDC
Total HM: 5
Participants: 77
Period: 3 days
Judge: gzeon
Total Solo HM: 1
Id: 191
League: ETH
Rank: 66/77
Findings: 1
Award: $19.22
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Soosh
Also found by: 9svR6w, Apocalypto, Ch_301, HE1M, Koolex, SmartSek, Titi, Trust, Zarf, bin2chen, btk, carrotsmuggler, csanuragjain, dic0de, dipp, gz627, hansfriese, hihen, imare, immeas, indijanc, jadezti, kuldeep, ladboy233, maks, neumo, obront, rvierdiiev, sces60107, sk8erboy
19.2206 USDC - $19.22
lastResortTimelockOwnerClaimNFT() as the name says is used in case the winning user doesn't retrieve the won NFT token and in such case the owner can rescue the NFT from the contract.
The mentioned function can be only called after a certain period is passed:
if (settings.recoverTimelock > block.timestamp) { // Stop the withdraw revert RECOVERY_IS_NOT_YET_POSSIBLE(); }
This and the onlyOwner are the only check that prevents the function from being executed.
The problem is that the variable settings.recoverTimelock is only checked to be correct when initializing the contract. But the beginning of the draw can happen at a much later time.
The minimal time checked for recoverTimelock is set to be a least a week.
If a user/owner creates a draw and waits a week plus one second to call startDraw() now even if the draw is not yet finished the owner can immediately call lastResortTimelockOwnerClaimNFT() to regain the NFT back.
When the winning user is chosen it can no longer get the NFT because is already gone. There was no waiting time for the user to retrieve the NFT token even if the draw just started.
The only place that checks settings.recoverTimelock is in the initialization routine:
Manual review
Use settings.recoverTimelock variable like is done with settings.drawBufferTime.
In the initialization method check if the interval is correct.
Then only in _requestRoll() recalculate the real end for recoverTimelock.
In the meantime the user/owner will not be able to call lastResortTimelockOwnerClaimNFT() because the if check will still fail with the recoverTimelock value being smaller then block.timestamp.
// this will still fail and will protect the function from being called before startDraw() + recoverTimelock time if (settings.recoverTimelock > block.timestamp) {
Note: the recalculation of recoverTimelock can also be done once in startDraw() where the NFT is first transferred (and locked) to the contract. But in this case if a redraw happens the owner again can get the NFT out much faster then the winning user.
#0 - c4-judge
2022-12-17T15:29:03Z
gzeon-c4 marked the issue as duplicate of #146
#1 - c4-judge
2023-01-23T16:53:03Z
gzeon-c4 marked the issue as satisfactory
#2 - c4-judge
2023-01-23T17:09:24Z
gzeon-c4 changed the severity to 3 (High Risk)