Platform: Code4rena
Start Date: 20/09/2022
Pot Size: $100,000 USDC
Total HM: 4
Participants: 109
Period: 7 days
Judge: GalloDaSballo
Id: 163
League: ETH
Rank: 106/109
Findings: 1
Award: $55.20
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x4non, 0x52, 0x5rings, 0xNazgul, 0xRobocop, 0xSmartContract, 0xdeadbeef, 0xsanson, 8olidity, Amithuddar, Aymen0909, B2, B353N, CertoraInc, Ch_301, Chom, CodingNameKiki, Deivitto, ElKu, Funen, JC, JohnnyTime, Kresh, Lambda, Noah3o6, RaymondFam, ReyAdmirado, RockingMiles, Rolezn, Sm4rty, SuldaanBeegsi, Tadashi, TomJ, Tomio, V_B, Waze, __141345__, a12jmx, ak1, arcoun, asutorufos, aviggiano, berndartmueller, bharg4v, bin2chen, brgltd, bulej93, c3phas, catchup, cccz, ch0bu, cryptonue, cryptphi, csanuragjain, delfin454000, devtooligan, djxploit, durianSausage, eighty, erictee, exd0tpy, fatherOfBlocks, giovannidisiena, hansfriese, ignacio, joestakey, ladboy233, lukris02, m9800, malinariy, martin, minhtrng, obront, oyc_109, pedr02b2, pedroais, pfapostol, philogy, prasantgupta52, rbserver, ronnyx2017, rotcivegaf, rvierdiiev, sach1r0, shung, simon135, throttle, tnevler, tonisives, wagmi, yixxas, zkhorse, zzykxx, zzzitron
55.1985 USDC - $55.20
In GobblerReserve.withdraw, The ArtGobblers.transferFrom() method is used to transfer the gobblers to the recipient to. The problem is that this function does not check whether the recipient can handle ERC721 tokens, which means it could transfer Gobblers to a wallet/contract that cannot handle it, resulting in the loss/freeze of these Gobblers.
Medium
Manual Analysis
Add one more check in ArtGobblers.transferFrom()
sol 885: require(from == getGobblerData[id].owner, "WRONG_FROM"); 886: 887: require(to != address(0), "INVALID_RECIPIENT"); 888: 889: require( 890: msg.sender == from || isApprovedForAll[from][msg.sender] || msg.sender == getApproved[id], 891: "NOT_AUTHORIZED" 892: ); + require( + to.code.length == 0 || + ERC721TokenReceiver(to).onERC721Received(msg.sender, from, id, "") == + ERC721TokenReceiver.onERC721Received.selector, + "UNSAFE_RECIPIENT" + );
#0 - Shungy
2022-09-27T22:12:09Z
You have safeTransferFrom for this purpose: https://github.com/code-423n4/2022-09-artgobblers/blob/d2087c5a8a6a4f1b9784520e7fe75afa3a9cbdbe/src/utils/token/GobblersERC721.sol#L137-L141
Suggested mitigation breaks standard, introduces bugs, increases gas cost.
#1 - GalloDaSballo
2022-09-29T20:22:01Z
#2 - GalloDaSballo
2022-10-11T21:56:38Z
L
#3 - Philogy
2022-10-27T09:59:03Z
@JeeberC4 how is this not a duplicate of #322 ? The only difference seems to be the suggested mitigation
#4 - GalloDaSballo
2022-10-27T16:28:02Z
@JeeberC4 how is this not a duplicate of #322 ? The only difference seems to be the suggested mitigation
Jeeber is setting up for the QA math, it's not judging
QAs are dedouped to be added to QA reports, this is more of a backend task
See judging which is consistent between all findings marked as dups (QA - L)
TL;DR do not read into Jeeber's work it's not the same as judging
#5 - Philogy
2022-10-27T16:31:40Z
Oh my bad :sweat_smile:
Is it always just Jeeber or is there a list of who does judging / QA maths so I can keep track of things? thx again, still getting onboarded as a new backstage warden :pray:
#6 - GalloDaSballo
2022-10-27T16:38:41Z
There should always be one Judge, the rest should be taken with a grain of salt, feel free to as in Backstage if you don't know who the Judge is