Back to minhquanym's contests

Joyn contest - minhquanym's results

Launchpad for collaborative web3 media projects with blueprints, building blocks, and community support.

General Information

Platform: Code4rena

Start Date: 30/03/2022

Pot Size: $30,000 USDC

Total HM: 21

Participants: 38

Period: 3 days

Judge: Michael De Luca

Total Solo HM: 10

Id: 104

League: ETH

Joyn

Findings Distribution

Researcher Performance

Rank: 22/38

Findings: 3

Award: $325.20

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryJoyn

Findings Information

🌟 Selected for report: hickuphh3

Also found by: 0xDjango, kirk-baird, leastwood, m9800, minhquanym, pedroais

Labels

bug
duplicate
3 (High Risk)
sponsor confirmed

Awards

203.7202 USDC - $203.72

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-03-joyn/blob/c9297ccd925ebb2c44dbc6eaa3effd8db5d2368a/core-contracts/contracts/ERC721Payable.sol#L54 https://github.com/code-423n4/2022-03-joyn/blob/c9297ccd925ebb2c44dbc6eaa3effd8db5d2368a/core-contracts/contracts/CoreCollection.sol#L175

Vulnerability details

Impact

  • It is good to add a require() statement that checks the return value of token transfers or to use something like OpenZeppelin’s safeTransfer/safeTransferFrom unless one is sure the given token reverts in case of a failure. Failure to do so will cause silent failures of transfers and affect token accounting in contract. transferFrom() might return false instead of reverting. In this case, failed transfer allows exploiter to call mintToken for free.

Proof of concept

  • Consider using safeTransfer/safeTransferFrom or require().

#0 - sofianeOuafir

2022-04-14T15:13:57Z

In my opinion, the severity level should be 3 (High Risk) instead of 2 (Med Risk) duplicate of #52

Findings Information

🌟 Selected for report: kirk-baird

Also found by: 0xDjango, Dravee, Ruhum, TomFrenchBlockchain, WatchPug, defsec, hubble, hyh, leastwood, minhquanym

Labels

bug
duplicate
3 (High Risk)
sponsor confirmed

Awards

85.0569 USDC - $85.06

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-03-joyn/blob/c9297ccd925ebb2c44dbc6eaa3effd8db5d2368a/royalty-vault/contracts/RoyaltyVault.sol#L40-L41 https://github.com/code-423n4/2022-03-joyn/blob/c9297ccd925ebb2c44dbc6eaa3effd8db5d2368a/royalty-vault/contracts/RoyaltyVault.sol#L67-L70

Vulnerability details

Impact

  • In function sendToSplitter, line 40 calculate platformShare = (balanceOfVault * platformFee) * 10000;
  • And owner can set this platformFee to arbitrary uint256 value using setPlatformFee function.
  • If platformFee > 10000 then platformShare will even bigger than balanceOfVault, make line 41 revert everytime because of arithmetic underflow and causes denial of service.

Proof of concept

  • Check if platformFee <= 10000 in setPlatformFee function. require(platformFee <= 10000, ‘invalid platformFee’);

#0 - sofianeOuafir

2022-04-14T20:37:53Z

duplicate of #9

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0v3rf10w, 0x1f8b, 0xNazgul, 0xkatana, Dravee, Funen, Tomio, WatchPug, blackswordsman, defsec, hake, kenta, minhquanym, rayn, rfa, robee, saian, securerodd, ych18, z3s

Awards

36.417 USDC - $36.42

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

1. Cache length in the for loop and uncheck index

Impact

  • At each iteration of the loop, length is read from memory. We can cache the length and save gas per iteration.
  • Solidity 0.8.0 check safe math in every operation. Use uncheck to increase index can save gas.

Occurences

  • For example, for-loop in line 79 CoreFactory.sol can be optimized:
uint256 length = _collections.length;
for (uint256 i; i < length; ) {
	// do something //
	uncheck { ++i; }
}

2. != 0 costs less gass compared to > 0 for unsigned integer

Impact

  • != 0 costs less gass compared to > 0 for unsigned integer

Occurences

  • Change > 0 with != 0.

3. Remove == true when check boolean variable save gas.

Impact

  • Remove == true when check boolean variable can save a tiny amount of gas.

Occurences

  • Remove == true.

4. Check amount before transfer can save gas.

Impact

  • platformShare can be 0 when balanceOfVault < 10000 / platformFee (platformFee = 500 in default)
  • splitterShare can be 0 when platformFee == 10000.
  • In that case, we should check if platformShare != 0 and splitterShare != 0 before making the transfer to save gas.

Proof of concept

  • Add check if platformShare != 0 before transfer
AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter