Platform: Code4rena
Start Date: 30/10/2023
Pot Size: $49,250 USDC
Total HM: 14
Participants: 243
Period: 14 days
Judge: 0xsomeone
Id: 302
League: ETH
Rank: 62/243
Findings: 2
Award: $109.12
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: ast3ros
Also found by: 00xSEV, Al-Qa-qa, CaeraDenoir, Jiamin, Juntao, Ruhum, bart1e, circlelooper, crunch, gumgumzum, rishabh, smiling_heretic, ustas
95.7343 USDC - $95.73
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L218-L220
Cross Contract re-entrancy can occur due to not following CEI
burnToMint in GenCore, which mints the the new token from the to be minted collection.https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L218-L220
_mintProcessing(mintIndex, ownerOf(_tokenId), tokenData[_tokenId], _mintCollectionID, _saltfun_o); // burn token _burn(_tokenId);
Tokens should be burned before minting and calling the receiver contract, this follows the safe pattern
// burn token _burn(_tokenId); _mintProcessing(mintIndex, ownerOf(_tokenId), tokenData[_tokenId], _mintCollectionID, _saltfun_o);
Reentrancy
#0 - c4-pre-sort
2023-11-19T05:12:10Z
141345 marked the issue as duplicate of #1198
#1 - c4-pre-sort
2023-11-20T09:25:10Z
141345 marked the issue as duplicate of #1597
#2 - c4-pre-sort
2023-11-26T14:02:19Z
141345 marked the issue as duplicate of #1742
#3 - c4-judge
2023-11-29T19:53:11Z
alex-ppg marked the issue as not a duplicate
#4 - c4-judge
2023-11-29T19:53:21Z
alex-ppg marked the issue as duplicate of #1597
#5 - c4-judge
2023-12-05T12:24:56Z
alex-ppg changed the severity to 2 (Med Risk)
#6 - c4-judge
2023-12-08T21:23:48Z
alex-ppg marked the issue as partial-50
🌟 Selected for report: The_Kakers
Also found by: 00xSEV, 0x3b, Arabadzhiev, DeFiHackLabs, Fulum, Madalad, MrPotatoMagic, SpicyMeatball, Tadev, ZanyBonzy, ZdravkoHr, alexfilippov314, audityourcontracts, cheatc0d3, devival, dy, evmboi32, immeas, lsaudit, mrudenko, oakcobalt, oualidpro, pipidu83, r0ck3tz, rishabh, rotcivegaf, tpiliposian, xAriextz
13.3948 USDC - $13.39
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/XRandoms.sol#L28-L32
getWord() never returns the last element and returns the element at index 0 with twice the possibility compared to others
getWord function is called from inside randomWord
function randomWord() public view returns (string memory) { uint256 randomNum = uint(keccak256(abi.encodePacked(block.prevrandao, blockhash(block.number - 1), block.timestamp))) % 100; return getWord(randomNum); }
the value of randomNum always will remain between 0 <= randomNum < 100
But the getWord is implemented correctly for this value range
if (id==0) { return wordsList[id]; } else { return wordsList[id - 1]; }
Here is a relationship between randomNum variable and the output of getWord function
| randomNum | Output Of getWord |
|---|---|
| 0 | Acai |
| 1 | Acai |
| ... | ... |
| 99 | Velvet Apple |
As it can be seen, wordsList[0] which is "Acai" will be returned twice and wordlist[99] which is "Watermelon" will never be returned.
Manual
if (id==0) { return wordsList[id]; } else { return wordsList[id - 1]; }
Should be changed to
return wordList[id]
Other
#0 - c4-pre-sort
2023-11-16T14:22:23Z
141345 marked the issue as duplicate of #508
#1 - c4-judge
2023-12-04T13:52:32Z
alex-ppg marked the issue as selected for report
#2 - alex-ppg
2023-12-04T13:54:46Z
The Warden has illustrated that the getWord function as utilized in the operational portion of the NextGen system is flawed due to incorrect usage of the input argument.
While a correct observation, this would simply double the chance of "Acai" and render the "Watermelon" word inaccessible. Thus, the randomness of the function is affected to a small degree rendering this exhibit to be of QA (low risk).
#3 - c4-judge
2023-12-04T13:55:00Z
alex-ppg changed the severity to QA (Quality Assurance)
#4 - c4-judge
2023-12-08T22:47:48Z
alex-ppg marked the issue as grade-b
#5 - c4-judge
2023-12-09T00:47:38Z
alex-ppg marked the issue as not selected for report