Platform: Code4rena
Start Date: 07/07/2022
Pot Size: $75,000 USDC
Total HM: 32
Participants: 141
Period: 7 days
Judge: HardlyDifficult
Total Solo HM: 4
Id: 144
League: ETH
Rank: 40/141
Findings: 4
Award: $327.79
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xNineDec
Also found by: 0x1f8b, infosec_us_team, kenzo, pashov, xiaoming90
Proof of concept: The execute() function in Vault.sol allows the owner address to call it any time with any parameters, and in it’s code it does delegatecall to the function’s target argument with the function’s data argument. This basically allows the owner to execute any code, any time in the context of Vault.sol
Impact: This is a bit of a centralisation issue, where one address has too much power. This address can be malicious or hacked and execute code that results in change in the mapping from function selector to plugin addresses for example.
Recommended Mitigation Steps: Put owner calls to execute() behind a timelock, so users can have time to withdraw funds or do any actions if they feel that the call is not safe for them.
#0 - mehtaculous
2022-07-19T15:58:50Z
Duplicate of #535
#1 - HardlyDifficult
2022-07-27T00:55:21Z
Proof of concept: The controller of the contract can set any royalty percentage for any ERC1155 token, but the setting is not limited, so he can set it to 100% which will result in all the funds of a trade going to the royaltyAddress. He can also set the royaltyAddressto be one that is controlled by him, effectively getting 100% of all funds which users use on secondary sales
Impact: If controller is malicious or hacked, he can basically rug all secondary sales and steal the value from them completely.
Recommended Mitigation Steps: Implement an upper limit for royaltyPercent, for example make it so the maximum percentage is 5%. Also make it so that the owner of the token can set the royaltyAddress, otherwise the controller can always set it to his address and steal all royalties
#0 - 0x0aa0
2022-07-18T18:40:26Z
Duplicate of #166
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x29A, Amithuddar, Avci, BowTiedWardens, Kthere, Limbooo, MEP, Ruhum, StyxRave, TomJ, Treasure-Seeker, TrungOre, Tutturu, Waze, bardamu, c3phas, cccz, codexploder, cryptphi, hake, horsefacts, hyh, oyc_109, pashov, peritoflores, scaraven, simon135, slywaters, sseefried, tofunmi, xiaoming90
1.3977 USDC - $1.40
https://github.com/code-423n4/2022-07-fractional/blob/8f2697ae727c60c93ea47276f8fa128369abfe51/src/modules/Migration.sol#L172 https://github.com/code-423n4/2022-07-fractional/blob/8f2697ae727c60c93ea47276f8fa128369abfe51/src/modules/Migration.sol#L325
Impact:
The use of the deprecated transfer() function for an address will inevitably make the transaction fail when:
Additionally, using higher than 2300 gas might be mandatory for some multisig wallets.
Recommended Mitigation Steps: Use **** call() instead of transfer()
#0 - mehtaculous
2022-07-19T21:51:33Z
Duplicate of #325
#1 - HardlyDifficult
2022-07-28T15:48:16Z
Duping to #504
🌟 Selected for report: xiaoming90
Also found by: 0x1f8b, 0x29A, 0x52, 0xA5DF, 0xDjango, 0xNazgul, 0xNineDec, 0xf15ers, 0xsanson, 0xsolstars, 242, 8olidity, Amithuddar, Aymen0909, Bnke0x0, BowTiedWardens, David_, Deivitto, ElKu, Funen, Hawkeye, IllIllI, JC, Kaiziron, Keen_Sheen, Kthere, Kulk0, Kumpa, Lambda, MEP, ReyAdmirado, Rohan16, Ruhum, Sm4rty, TomJ, Tomio, Treasure-Seeker, TrungOre, Tutturu, Viksaa39, Waze, _Adam, __141345__, ak1, apostle0x01, asutorufos, async, ayeslick, aysha, bbrho, benbaessler, berndartmueller, c3phas, cccz, chatch, cloudjunky, codexploder, cryptphi, delfin454000, dipp, durianSausage, dy, exd0tpy, fatherOfBlocks, hake, hansfriese, horsefacts, hubble, joestakey, jonatascm, kebabsec, kenzo, kyteg, mektigboy, neumo, oyc_109, pashov, pedr02b2, peritoflores, rajatbeladiya, rbserver, robee, rokinot, s3cunda, sach1r0, sahar, sashik_eth, scaraven, shenwilly, simon135, sorrynotsorry, sseefried, svskaushik, unforgiven, z3s, zzzitron
61.9882 USDC - $61.99
Checking if a contract exists before delegatecall is not needed since Solidity 0.8.0
The code has a check and reverts if the target for delegateCall does not have any code (it’s an EOA). Since Solidity 0.8.10 this is not needed
• Code Generator: Skip existence check for external contract if return data is expected. In this case, the ABI decoder will revert if the contract does not exist.
Open TODO in codebase
Resolve hanging TODO before deploying to mainnet.
WETH address variable should not be payable
Do not use address payable for WETH, ether shouldn’t be directly sent to WETH contract ever. Use just address
Wrong comment
The comment above the function is saying /// @dev Callback for receiving ether when the calldata is empty but this is not a “callback”. The intention might have been to write “fallback” which is still partly correct. Replace callback with function
#0 - HardlyDifficult
2022-07-28T17:31:15Z