Back to jayjonah8's contests

Foundation contest - jayjonah8's results

Building the new creative economy

General Information

Platform: Code4rena

Start Date: 24/02/2022

Pot Size: $75,000 USDC

Total HM: 21

Participants: 28

Period: 7 days

Judge: alcueca

Total Solo HM: 15

Id: 94

League: ETH

Foundation

Findings Distribution

Researcher Performance

Rank: 26/28

Findings: 1

Award: $181.02

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryFoundation

Findings Information

🌟 Selected for report: leastwood

Also found by: 0x1f8b, 0xliumin, 0xwags, CertoraInc, Dravee, IllIllI, Ruhum, TerrierLover, WatchPug, cmichel, csanuragjain, defsec, gzeon, hubble, jayjonah8, kenta, kirk-baird, rfa, robee

Awards

181.0202 USDC - $181.02

Labels

bug
QA (Quality Assurance)
disagree with severity
sponsor confirmed

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-02-foundation/blob/main/contracts/mixins/NFTMarketOffer.sol#L150

Vulnerability details

Impact

In NFTMarketOffer.sol the adminCancelOffers() function has comments above it that mention

"tokenIds The ids of the NFTs to cancel. This must be the same length as nftContracts"

This means that both the tokensIds and nftContracts arrays must be the same length but this is not required in the code of the function itself which can lead to the function failing.

Proof of Concept

https://github.com/code-423n4/2022-02-foundation/blob/main/contracts/mixins/NFTMarketOffer.sol#L150

Tools Used

Manual code review

Add to adminCancelOffers() function:
require(nftContracts.length == tokenIds.length, Arrays must be same length");

#0 - HardlyDifficult

2022-02-24T22:37:35Z

This seems like a 1 (Low Risk) issue.

  • Only impacts calls reserved for use by Foundation admins.
  • Does not lead to abuse:
    • If nftContracts is larger than the function reverts as expected (with an index out of bounds error).
    • If tokenIds is larger than the additional data is simply ignored.

The latter is an indication of user error and we agree reverting is better than processing a request that may not align with the caller's full expectations. We will add the recommended require statement to this call.

#1 - alcueca

2022-03-16T09:43:27Z

Assets not at risk, function not at risk. Severity 1 is correct.

@NickCuso, have you considered using an array of structs instead of two arrays?

struct CancelOffer {
    address nftContract;
    uint256 tokenId;
}

function adminCancelOffers(
    CancelOffer[] calldata cancelOffers,
    string calldata reason
)

#2 - HardlyDifficult

2022-03-16T12:47:30Z

Yes - we originally did not go that route because of poor support on etherscan and defender, but I believe both have been updated to support structs better now. It would be good to revisit patterns like this again.

#3 - CloudEllie

2022-03-24T19:02:01Z

Since this issue was downgraded to a QA level, and the warden did not submit a separate QA report, we've renamed this one to "QA report" for consistency.

The original title, for the record, was "no check that array length arguments are the same."

#4 - alcueca

2022-03-25T20:43:06Z

This would be a QA Score of 10 by my metrics.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter