Back to sces60107's contests

Arcade.xyz - sces60107's results

The first of its kind Web3 platform to enable liquid lending markets for NFTs.

General Information

Platform: Code4rena

Start Date: 21/07/2023

Pot Size: $90,500 USDC

Total HM: 8

Participants: 60

Period: 7 days

Judge: 0xean

Total Solo HM: 2

Id: 264

League: ETH

Arcade.xyz

Findings Distribution

Researcher Performance

Rank: 39/60

Findings: 1

Award: $312.74

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryArcade.xyz

Findings Information

🌟 Selected for report: ktg

Also found by: 0x3b, 0xastronatey, 0xbranded, 0xmuxyz, 0xnev, BenRai, Viktor_Cortess, caventa, oakcobalt, sces60107

Labels

bug
2 (Med Risk)
downgraded by judge
satisfactory
duplicate-283

Awards

312.7392 USDC - $312.74

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-07-arcade/blob/main/contracts/NFTBoostVault.sol#L363 https://github.com/code-423n4/2023-07-arcade/blob/main/contracts/NFTBoostVault.sol#L342

Vulnerability details

Impact

NFTBoostVault.setMultiplier is used to modify the multipliers. And NFTBoostVault.updateVotingPower should be called to actually update the current voting power. In other words, if no one calls NFTBoostVault.updateVotingPower for every user who registers the ERC1155 token. The current voting power could be incorrect.

Proof of Concept

NFTBoostVault.setMultiplier simply update storage of multiplierData. https://github.com/code-423n4/2023-07-arcade/blob/main/contracts/NFTBoostVault.sol#L364

    function setMultiplier(address tokenAddress, uint128 tokenId, uint128 multiplierValue) public override onlyManager {
        if (multiplierValue > MAX_MULTIPLIER) revert NBV_MultiplierLimit();

        NFTBoostVaultStorage.AddressUintUint storage multiplierData = _getMultipliers()[tokenAddress][tokenId];
        // set multiplier value
        multiplierData.multiplier = multiplierValue;

        emit MultiplierSet(tokenAddress, tokenId, multiplierValue);
    }

Someone needs to call updateVotingPower to actually update the current voting power. But it may be hard to find all the registrations which register the corresponding ERC1155 token. https://github.com/code-423n4/2023-07-arcade/blob/main/contracts/NFTBoostVault.sol#L342

    function updateVotingPower(address[] calldata userAddresses) public override {
        if (userAddresses.length > 50) revert NBV_ArrayTooManyElements();

        for (uint256 i = 0; i < userAddresses.length; ++i) {
            NFTBoostVaultStorage.Registration storage registration = _getRegistrations()[userAddresses[i]];
            _syncVotingPower(userAddresses[i], registration);
        }
    }

If one registration is not updated, the incorrect voting power could harm the voting system.

Tools Used

Manual Review

There should be a mapping that can help look out for the user who registers the specific ERC1155 token. Thus, updateVotingPower can easily target all the registrations that need to be updated. Moreover, setMultiplier can update the voting power with the help of the mapping.

Assessed type

Other

#0 - c4-pre-sort

2023-07-30T06:36:06Z

141345 marked the issue as primary issue

#1 - c4-pre-sort

2023-08-01T09:15:17Z

141345 marked the issue as duplicate of #431

#2 - c4-judge

2023-08-10T14:12:27Z

0xean changed the severity to 2 (Med Risk)

#3 - c4-judge

2023-08-11T16:05:52Z

0xean marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter