Platform: Code4rena
Start Date: 06/12/2022
Pot Size: $36,500 USDC
Total HM: 16
Participants: 119
Period: 3 days
Judge: berndartmueller
Total Solo HM: 2
Id: 189
League: ETH
Rank: 81/119
Findings: 2
Award: $29.42
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: RaymondFam
Also found by: 0xdeadbeef0x, 0xhacksmithh, AkshaySrivastav, Awesome, Bnke0x0, CRYP70, HollaDieWaldfee, JC, Parth, Rahoz, Tutturu, __141345__, ahmedov, ajtra, asgeir, aviggiano, bin2chen, btk, carrotsmuggler, cccz, chaduke, cryptonue, dic0de, fatherOfBlocks, fs0c, hansfriese, jonatascm, karanctf, ladboy233, lumoswiz, martin, obront, pashov, pauliax, rvierdiiev, shark, simon135, supernova, tourist, yellowBirdy, zapaz, zaskoh
0.6136 USDC - $0.61
https://github.com/code-423n4/2022-12-escher/blob/main/src/minters/OpenEdition.sol#L92 https://github.com/code-423n4/2022-12-escher/blob/main/src/minters/FixedPrice.sol#L109 https://github.com/code-423n4/2022-12-escher/blob/main/src/minters/LPDA.sol#L85 https://github.com/code-423n4/2022-12-escher/blob/main/src/minters/LPDA.sol#L86 https://github.com/code-423n4/2022-12-escher/blob/main/src/minters/LPDA.sol#L105
The transfer() and send() functions forward a fixed amount of 2300 gas. Historically, it has often been recommended to use these functions for value transfers to guard against reentrancy attacks. However, the gas cost of EVM instructions may change significantly during hard forks which may break already deployed contract systems that make fixed assumptions about gas costs. For example. EIP 1884 broke several existing smart contracts due to a cost increase of the SLOAD instruction.
The use of the deprecated transfer() function for an address will inevitably make the transaction fail when:
Use call() instead of transfer(), but be sure to respect the CEI pattern and/or add re-entrancy guards, as several hacks already happened in the past due to this recommendation not being fully understood.
More info on;
https://swcregistry.io/docs/SWC-134
#0 - c4-judge
2022-12-10T00:29:33Z
berndartmueller marked the issue as duplicate of #99
#1 - c4-judge
2023-01-03T12:45:22Z
berndartmueller marked the issue as satisfactory
🌟 Selected for report: ladboy233
Also found by: 0x1f8b, Matin, UniversalCrypto, gzeon, karanctf, minhquanym, obront, rvierdiiev, seyni, slvDev, yixxas
28.8137 USDC - $28.81
https://github.com/code-423n4/2022-12-escher/blob/main/src/minters/LPDA.sol#L101
Unsafe typecast on from uint256 to uint80 in refund() funciton in LPDA.sol
There is a risk of overflow or underflow if the uint256 value is too large or too small to be represented by a uint80 type. This could result in unpredictable behavior or vulnerabilities in the contract.
uint80 price = uint80(getPrice()) * r.amount;
In above expression it calls getPrice() which returns uint256.
Use SafeCast library in OpenZeppelin which is a utility library that provides safe and reliable methods for casting between different numeric types in Solidity.
#0 - c4-judge
2022-12-10T17:11:09Z
berndartmueller marked the issue as duplicate of #369
#1 - c4-judge
2023-01-03T13:52:21Z
berndartmueller marked the issue as partial-50
#2 - c4-judge
2023-01-03T13:52:46Z
berndartmueller marked the issue as satisfactory
#3 - c4-judge
2023-01-03T13:52:57Z
berndartmueller marked the issue as partial-50