Back to peritoflores's contests

Forgotten Runes Warrior Guild contest - peritoflores's results

16,000 Warrior NFTs sold in a phased Dutch Auction.

General Information

Platform: Code4rena

Start Date: 03/05/2022

Pot Size: $30,000 USDC

Total HM: 6

Participants: 93

Period: 3 days

Judge: gzeon

Id: 118

League: ETH

Forgotten Runes

Findings Distribution

Researcher Performance

Rank: 46/93

Findings: 2

Award: $78.87

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryForgotten Runes

Findings Information

🌟 Selected for report: leastwood

Also found by: 0xliumin, Czar102, IllIllI, TrungOre, VAD37, WatchPug, berndartmueller, cccz, gzeon, hickuphh3, horsefacts, ilan, joestakey, m9800, p4st13r4, peritoflores, reassor, rfa, robee, sorrynotsorry, tintin, z3s

Awards

48.5872 USDC - $48.59

Labels

bug
duplicate
2 (Med Risk)
resolved

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsGuild.sol#L164

Vulnerability details

Vulnerability details

The usage of address.send is considered a bad practice as it only uses 2300 gas and you create a high dependency of gas. It is true that this is only used in an emergency to transfer the funds to the vault, but it always a better practice to use call.

function withdrawAll() public payable onlyOwner {

    require(address(vault) != address(0), 'no vault');

    require(payable(vault).send(address(this).balance));

  }

Useful Links

https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/

Use call instead

   (bool success, ) = msg.sender.call{value:amount}("");
    require(success, "Transfer failed.");

#0 - cryppadotta

2022-05-06T15:42:11Z

agree fixed

#1 - gzeoneth

2022-06-18T18:54:25Z

Duplicate of #254

Findings Information

🌟 Selected for report: defsec

Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0x52, 0xDjango, 0xf15ers, 0xkatana, 0xliumin, AuditsAreUS, BowTiedWardens, CertoraInc, Cr4ckM3, Funen, GimelSec, Hawkeye, IllIllI, Kulk0, M0ndoHEHE, MaratCerby, Picodes, Ruhum, TerrierLover, TrungOre, VAD37, WatchPug, berndartmueller, broccolirob, catchup, cccz, cryptphi, csanuragjain, delfin454000, dirk_y, eccentricexit, ellahi, fatherOfBlocks, gzeon, hake, hansfriese, hickuphh3, horsefacts, hubble, hyh, ilan, joestakey, kebabsec, kenta, kenzo, leastwood, m9800, marximimus, minhquanym, oyc_109, p4st13r4, pauliax, pedroais, peritoflores, plotchy, rajatbeladiya, reassor, rfa, robee, rotcivegaf, samruna, shenwilly, shung, simon135, sorrynotsorry, sseefried, teddav, throttle, tintin, unforgiven, z3s

Awards

30.2759 USDC - $30.28

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

QA by perito flores

[L01] No event emission

I see that there you are not emitting any event in your contract. Events are the way to communicate with a client application or a front-end website to know what is happening in the blockchain.

The following function are lacking events.

At ForgottenRunesWarriorsGuild.sol

initialize, burn, setBaseURI, setMinter, setMinter, withdrawAll, forwardERC20s

At ForgottenRunesWarriorsMinter.sol

bidSummon, mintlistSummon, publicSummon, claimSummon, teamSummon, issueRefunds, selfRefund, setDaStartTime, setMintlistStartTime, setPublicStartTime, setClaimsStartTime, setSelfRefundsStartTime, etc
AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter