Back to mookimgo's contests

Forgeries contest - mookimgo's results

A protocol for on-chain games with NFT prizes on Ethereum.

General Information

Platform: Code4rena

Start Date: 13/12/2022

Pot Size: $36,500 USDC

Total HM: 5

Participants: 77

Period: 3 days

Judge: gzeon

Total Solo HM: 1

Id: 191

League: ETH

Forgeries

Findings Distribution

Researcher Performance

Rank: 23/77

Findings: 1

Award: $110.27

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryForgeries

Findings Information

🌟 Selected for report: Trust

Also found by: Apocalypto, Madalad, Matin, aga7hokakological, evan, kaliberpoziomka8552, mookimgo, poirots, subtle77, wagmi, yixxas

Labels

bug
2 (Med Risk)
satisfactory
duplicate-273

Awards

110.2711 USDC - $110.27

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-12-forgeries/blob/main/src/VRFNFTRandomDraw.sol#L33

Vulnerability details

Impact

Wrong constant leads to unexpected long time can be set for settings.drawBufferTime and settings.recoverTimelock

Proof of Concept

uint256 immutable MONTH_IN_SECONDS = (3600 * 24 * 7) * 30;

this actually is 7 month.

In this setting settings.recoverTimelock can be as large as 12*7 month (7 years) instead of a year, and likewise REDRAW_TIMELOCK_NEEDS_TO_BE_LESS_THAN_A_MONTH will only prevent _settings.drawBufferTime larger than 7 months.

Tools Used

no

should be changed to uint256 immutable MONTH_IN_SECONDS = 3600 * 24 * 30;

#0 - c4-judge

2022-12-17T12:53:23Z

gzeon-c4 marked the issue as duplicate of #273

#1 - c4-judge

2022-12-17T12:53:55Z

gzeon-c4 marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter