Platform: Code4rena
Start Date: 03/05/2022
Pot Size: $30,000 USDC
Total HM: 6
Participants: 93
Period: 3 days
Judge: gzeon
Id: 118
League: ETH
Rank: 5/93
Findings: 3
Award: $1,435.17
🌟 Selected for report: 1
🚀 Solo Findings: 0
🌟 Selected for report: gzeon
Also found by: AuditsAreUS, BowTiedWardens, Ruhum, pedroais, shenwilly, teddav
User ETH could be stolen by the owner
In the documentation of the contest, the sponsor writes this as a known issue but I'm still reporting it since I think I can propose a solution that may be of value. Even if the sponsor is a legally doxed trusted entity a better trustlessness could be achieved with this solution. Being legally doxed in the US doesn't ensure everyone since a foreign user may not be able to easily litigate in the US.
Even if the sponsor does everything in good faith, enforcing max trustlessness can give more trust to the user which can increase the value of the sale and NFTs.
The owner is able to withdraw all eth including the funds owed for refunds. If the owner withdraws before all refunds are made user's will lose their refunds.
Create a function that computes all owed eth and make the withdraw function only able to withdraw balance - owedETH.
#0 - gzeoneth
2022-06-18T18:25:49Z
Duplicate of #187
🌟 Selected for report: pedroais
Also found by: AuditsAreUS, BowTiedWardens, GimelSec, IllIllI, WatchPug, defsec, leastwood
https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsMinter.sol#L564 https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsMinter.sol#L571 https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsMinter.sol#L557 https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsMinter.sol#L571
The price for the dutch auction could be altered.
I previously sent an issue about start time being settable more than once. This also happens for many other variables. Since they are many I will send them all in a single issue.
The following functions should only be called once to ensure trustlessness and integrity of the dutch auction : setDaPriceCurveLength setStartPrice setLowestPrice setDaDropInterval
The price in the dutch auction is computed by this formula : uint256 dropPerStep = (startPrice - lowestPrice) / (daPriceCurveLength / daDropInterval);
By making dapriceCurveLength or daDropInterval equal to 0 the owner could stop the auction. This could benefit the owner since the price lowers with time and everyone pays the final lower price. If the auction does well at the beginning the owner could stop the auction to stop the price from being lower. This works against the integrity of the dutch auction.
Also changing the Start Price or the Lowest price in the middle of the auction could allow the owner to manipulate the price.
To each of these setter functions add require (variable == 0) to ensure they are set once in a permanent way. Also, the Lowest price < startPrice should be required.
#0 - gzeoneth
2022-06-18T18:00:02Z
While centralization risk is acknowledged by the team, I agree that these variable should not be able to be changed during sale since it may lead to loss of functionality. Consolidating all similar issue for different variables here.
🌟 Selected for report: defsec
Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0x52, 0xDjango, 0xf15ers, 0xkatana, 0xliumin, AuditsAreUS, BowTiedWardens, CertoraInc, Cr4ckM3, Funen, GimelSec, Hawkeye, IllIllI, Kulk0, M0ndoHEHE, MaratCerby, Picodes, Ruhum, TerrierLover, TrungOre, VAD37, WatchPug, berndartmueller, broccolirob, catchup, cccz, cryptphi, csanuragjain, delfin454000, dirk_y, eccentricexit, ellahi, fatherOfBlocks, gzeon, hake, hansfriese, hickuphh3, horsefacts, hubble, hyh, ilan, joestakey, kebabsec, kenta, kenzo, leastwood, m9800, marximimus, minhquanym, oyc_109, p4st13r4, pauliax, pedroais, peritoflores, plotchy, rajatbeladiya, reassor, rfa, robee, rotcivegaf, samruna, shenwilly, shung, simon135, sorrynotsorry, sseefried, teddav, throttle, tintin, unforgiven, z3s
30.8695 USDC - $30.87
Forgotten runes warrior guild came to C4 to sponsor a contest on their NFT token and mint. The code is easy to understand thanks to full natspec documentation. The codebase lacks some good practices in terms of trustlessness and decentralization. Even if the company is trustable too much depended on owner keys can be dangerous in case a key theft happens.
These are the low severity and informational issues : Low severity : L1- If the dutchAuction sells out before reaching lowestPrice the view function currentDaPrice will still return the lowest price. If the auction sells out the function should return the final price instead of lowestPrice. https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsMinter.sol#L279
Informational : I1-The initializer function lacks the initializer modifier. https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsGuild.sol#L52
I2- Using send for eth transfers. This method will gas bound transfers which means a receiving contract can't implement any fallback logic. https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsGuild.sol#L164
I3- The minter contract doesn't have any events which is a bad practice https://consensys.github.io/smart-contract-best-practices/development-recommendations/solidity-specific/event-monitoring/