Back to sces60107's contests

Forgeries contest - sces60107's results

A protocol for on-chain games with NFT prizes on Ethereum.

General Information

Platform: Code4rena

Start Date: 13/12/2022

Pot Size: $36,500 USDC

Total HM: 5

Participants: 77

Period: 3 days

Judge: gzeon

Total Solo HM: 1

Id: 191

League: ETH

Forgeries

Findings Distribution

Researcher Performance

Rank: 61/77

Findings: 1

Award: $19.22

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryForgeries

Findings Information

🌟 Selected for report: Soosh

Also found by: 9svR6w, Apocalypto, Ch_301, HE1M, Koolex, SmartSek, Titi, Trust, Zarf, bin2chen, btk, carrotsmuggler, csanuragjain, dic0de, dipp, gz627, hansfriese, hihen, imare, immeas, indijanc, jadezti, kuldeep, ladboy233, maks, neumo, obront, rvierdiiev, sces60107, sk8erboy

Awards

19.2206 USDC - $19.22

Labels

bug
3 (High Risk)
satisfactory
upgraded by judge
duplicate-146

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-12-forgeries/blob/main/src/VRFNFTRandomDraw.sol#L306

Vulnerability details

Impact

Owners can call lastResortTimelockOwnerClaimNFT to reclaim NFT back if settings.recoverTimelock <= block.timestamp. But settings.recoverTimelock is set in initialize, Owner can delay the call to startDraw until settings.recoverTimelock.

If the owner wants to refuse to give NFT to some specific winners, the owner can call lastResortTimelockOwnerClaimNFT if some specific winners win the draw. Because the owner delayed the call to startDraw, the owner can call (or front-run winnerClaimNFT) lastResortTimelockOwnerClaimNFT in no time.

Proof of Concept

The lastResortTimelockOwnerClaimNFT function checks settings.recoverTimelock:

    function lastResortTimelockOwnerClaimNFT() external onlyOwner {
        // If recoverTimelock is not setup, or if not yet occurred
        if (settings.recoverTimelock > block.timestamp) {
            // Stop the withdraw
            revert RECOVERY_IS_NOT_YET_POSSIBLE();
        }
        ...

If an owner delays the startDraw until settings.recoverTimelock, the owner can call lastResortTimelockOwnerClaimNFT in no time. The owner can reject some specific winners by frontrunning winnerClaimNFT() which is called by the winner.

Tools Used

Manual Review

Add recoverBufferTime variable, and reset settings.recoverTimelock in startDraw:

    function startDraw() external onlyOwner returns (uint256) {
+       settings.recoverTimelock = block.timestamp + settings.recoverBufferTime;
        ...

#0 - c4-judge

2022-12-17T15:25:16Z

gzeon-c4 marked the issue as duplicate of #146

#1 - c4-judge

2022-12-17T15:25:20Z

gzeon-c4 marked the issue as satisfactory

#2 - c4-judge

2023-01-23T17:09:19Z

gzeon-c4 changed the severity to 3 (High Risk)

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter