Back to pashov's contests

Escher contest - pashov's results

A decentralized curated marketplace for editioned artwork.

General Information

Platform: Code4rena

Start Date: 06/12/2022

Pot Size: $36,500 USDC

Total HM: 16

Participants: 119

Period: 3 days

Judge: berndartmueller

Total Solo HM: 2

Id: 189

League: ETH

Escher

Findings Distribution

Researcher Performance

Rank: 80/119

Findings: 2

Award: $29.42

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryEscher

Findings Information

🌟 Selected for report: RaymondFam

Also found by: 0xdeadbeef0x, 0xhacksmithh, AkshaySrivastav, Awesome, Bnke0x0, CRYP70, HollaDieWaldfee, JC, Parth, Rahoz, Tutturu, __141345__, ahmedov, ajtra, asgeir, aviggiano, bin2chen, btk, carrotsmuggler, cccz, chaduke, cryptonue, dic0de, fatherOfBlocks, fs0c, hansfriese, jonatascm, karanctf, ladboy233, lumoswiz, martin, obront, pashov, pauliax, rvierdiiev, shark, simon135, supernova, tourist, yellowBirdy, zapaz, zaskoh

Awards

0.6136 USDC - $0.61

Labels

bug
2 (Med Risk)
satisfactory
duplicate-99

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-12-escher/blob/0cf28046e8fe79996f912c7cfc40239ebb863255/src/minters/FixedPrice.sol#L109 https://github.com/code-423n4/2022-12-escher/blob/0cf28046e8fe79996f912c7cfc40239ebb863255/src/minters/OpenEdition.sol#L92 https://github.com/code-423n4/2022-12-escher/blob/0cf28046e8fe79996f912c7cfc40239ebb863255/src/minters/LPDA.sol#L86

Vulnerability details

Proof of Concept

The codebase makes heavy use of the deprecated transfer function of address payable. Its will inevitably make the transaction fail when:

  1. The receiver smart contract does not implement a payable function.
  2. The receiver smart contract does implement a payable fallback which uses more than 2300 gas unit.
  3. The receiver smart contract implements a payable fallback function that needs less than 2300 gas units but is called through proxy, raising the call's gas usage above 2300.

Additionally, using higher than 2300 gas might be mandatory for some multisig wallets.

This vulnerability can result in a permanent DoS if the receiver address is of the above mentioned types.

Severity

The impact of this issue is high, since token will be stuck forever, and likelihood is Low/Med since EOAs and most smart contracts will not have this problem. This results in Medium severity.

Recommendation

Use call with value instead of transfer on address payable

#0 - c4-judge

2022-12-10T00:33:56Z

berndartmueller marked the issue as duplicate of #99

#1 - c4-judge

2023-01-03T12:49:16Z

berndartmueller marked the issue as satisfactory

Findings Information

🌟 Selected for report: tnevler

Also found by: 0xDecorativePineapple, 0xRobocop, 0xbepresent, Chom, Ruhum, Soosh, imare, lukris02, pashov, yellowBirdy, yixxas

Labels

2 (Med Risk)
partial-50
duplicate-377

Awards

28.8137 USDC - $28.81

External Links

Link to GitHub issue

Judge has assessed an item in Issue #506 as M risk. The relevant finding follows:

selfDestruct will probably be deactivated soon

#0 - c4-judge

2022-12-11T18:35:17Z

berndartmueller marked the issue as duplicate of #377

#1 - berndartmueller

2023-01-03T15:33:21Z

Applying partial credit as the warden did not demonstrate a concrete impact

#2 - c4-judge

2023-01-03T15:33:27Z

berndartmueller marked the issue as partial-50

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter