Platform: Code4rena
Start Date: 26/07/2022
Pot Size: $75,000 USDC
Total HM: 29
Participants: 179
Period: 6 days
Judge: LSDan
Total Solo HM: 6
Id: 148
League: ETH
Rank: 75/179
Findings: 2
Award: $130.02
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: cloudjunky
Also found by: 0x1f8b, 0x4non, 0x52, 0xDjango, 0xHarry, 0xNazgul, 0xNineDec, 0xf15ers, 0xsanson, 0xsolstars, 8olidity, Bnke0x0, CertoraInc, Chom, Deivitto, Dravee, GalloDaSballo, GimelSec, IllIllI, Jmaxmanblue, JohnSmith, Jujic, Kenshin, Krow10, Lambda, MEP, Noah3o6, RedOneN, Ruhum, StErMi, StyxRave, TomJ, Treasure-Seeker, TrungOre, _Adam, __141345__, arcoun, asutorufos, bardamu, bearonbike, bin2chen, brgltd, bulej93, c3phas, cRat1st0s, carlitox477, cccz, codexploder, cryptonue, cryptphi, cthulhu_cult, dharma09, dipp, djxploit, durianSausage, ellahi, giovannidisiena, hansfriese, horsefacts, hyh, immeas, indijanc, jayjonah8, jayphbee, joestakey, kenzo, kyteg, ladboy233, minhquanym, navinavu, obront, oyc_109, peritoflores, rbserver, reassor, rokinot, rotcivegaf, saian, scaraven, shenwilly, simon135, sseefried, teddav, zzzitron
0.0037 USDC - $0.00
https://github.com/code-423n4/2022-07-golom/blob/main/contracts/core/GolomTrader.sol#L154
In GolomTrader.sol the 'payEther()' function handles royalty transfers. It uses '.transfer()' to send ether which has a 2300 gas limit. In running the test's included in the repo, it clearly shows that every function that uses 'payEther()' uses far more than the 2300 gas limit even up until the first time that 'payEther()' is called which means every function that uses 'payEther()' can fail. All the main functions in GolomTrader.sol use this function including 'fillAsk()', and '_settleBalances()' which is called at the end of 'fillCriteriaBid()' and 'fillBid()'. This impacts the core functionality of the protocol.
https://github.com/code-423n4/2022-07-golom/blob/main/contracts/core/GolomTrader.sol#L154
https://solidity-by-example.org/sending-ether/
Manual code review
It's recommended to use '.call() ' when sending ether instead which forwards all gas and returns a boolean and to guard against reentrancy with reentrancy guards.
#0 - KenzoAgada
2022-08-03T14:08:13Z
Duplicate of #343
130.0175 USDC - $130.02
https://github.com/code-423n4/2022-07-golom/blob/main/contracts/core/GolomTrader.sol#L176 https://github.com/code-423n4/2022-07-golom/blob/e5efa8f9d6dda92a90b8b2c4902320acf0c26816/contracts/core/GolomTrader.sol#L177-L180
In GolomTrader.sol the 'validateOrder()' function makes a call to 'ecrecover()' to grab the 'signaturesigner'. The problem is that if 'ecrecover()' fails it will return a 0 which is currently not guarded against. This was a problem in the famous Polygon Matic token bug. There should be validation that the return value from 'ecrecover()' is not zero to prevent malicious hashes from being passed in. Also The next 4 lines of code present a problem which will never allow the if statement to run even when it should.
address signaturesigner = ecrecover(hash, o.v, o.r, o.s); require(signaturesigner == o.signer, 'invalid signature'); if (signaturesigner != o.signer) { return (0, hashStruct, 0); }
With the current require statement here. The following if statement could never be true. This means the 'validateOrder()' function could never return an OrderStatus of 0 which should be an option for the function to return.
https://github.com/code-423n4/2022-07-golom/blob/main/contracts/core/GolomTrader.sol#L176
Manual code review
Add: address signaturesigner = ecrecover(hash, o.v, o.r, o.s); require(signaturesidnger != 0, "Recovery failed")
Also the 'require(signaturesigner == o.signer, 'invalid signature');' should be removed and everywhere 'validateOrder()' is called the Order status should be validated by reverting if it is 0.
#0 - KenzoAgada
2022-08-05T02:01:12Z
Duplicate of #357