Platform: Code4rena
Start Date: 02/08/2023
Pot Size: $42,000 USDC
Total HM: 13
Participants: 45
Period: 5 days
Judge: hickuphh3
Total Solo HM: 5
Id: 271
League: ETH
Rank: 30/45
Findings: 1
Award: $89.63
š Selected for report: 0
š Solo Findings: 0
š Selected for report: Aymen0909
Also found by: 0xStalin, 0xbepresent, Arz, D_Auditor, Jorgect, T1MOH, bin2chen, dirk_y, josephdara, ptsanev, rvierdiiev, seerether, shirochan, trachev
89.6296 USDC - $89.63
https://github.com/GenerationSoftware/pt-v5-draw-auction/blob/f1c6d14a1772d6609de1870f8713fb79977d51c1/src/RngRelayAuction.sol#L133 https://github.com/GenerationSoftware/pt-v5-draw-auction/blob/f1c6d14a1772d6609de1870f8713fb79977d51c1/src/RngRelayAuction.sol#L137 https://github.com/GenerationSoftware/pt-v5-draw-auction/blob/f1c6d14a1772d6609de1870f8713fb79977d51c1/src/RngRelayAuction.sol#L139 https://github.com/GenerationSoftware/pt-v5-draw-auction/blob/f1c6d14a1772d6609de1870f8713fb79977d51c1/src/RngRelayAuction.sol#L142
This will result in a larger reward fraction, allowing the caller to unfairly claim more of the rewards.
The _rngCompletedAt timestamp is controlled by the caller. They can make _auctionElapsedSeconds smaller by providing a higher _rngCompletedAt to increase their reward fraction. For example, if the real RNG completion time was 1 hour ago, they could pass a _rngCompletedAt of 30 mins ago. This makes the _auctionElapsedSeconds smaller, so the reward fraction will be higher
Manual
Use block.timestamp instead of relying on the passed _rngCompletedAt
Other
#0 - c4-pre-sort
2023-08-08T04:12:29Z
raymondfam marked the issue as duplicate of #82
#1 - c4-pre-sort
2023-08-08T04:14:16Z
raymondfam marked the issue as low quality report
#2 - raymondfam
2023-08-08T05:40:01Z
The report is minimally elaborated.
#3 - HickupHH3
2023-08-14T02:50:46Z
Keyword i'm looking for is access control, this issue does not touch on it.
However, it did point out that the caller can "unfairly claim more of the rewards" by passing in a malicious param
#4 - c4-judge
2023-08-14T02:50:50Z
HickupHH3 marked the issue as satisfactory
š Selected for report: Aymen0909
Also found by: 0xStalin, 0xbepresent, Arz, D_Auditor, Jorgect, T1MOH, bin2chen, dirk_y, josephdara, ptsanev, rvierdiiev, seerether, shirochan, trachev
89.6296 USDC - $89.63
When the rewards are calculated using _computeRewards(), the attacker's inflated rewardFraction will be used, giving them a bigger share
The _rngAuctionResult passed to rngComplete() is stored directly into the auctionResults array without any validation. An attacker could call rngComplete() with a manipulated _rngAuctionResult that has an inflated rewardFraction value. This would allow the attacker to receive a larger share of the rewards.
Manual
,_rngAuctionResult should be validated before using it. For example: ā¢ Check that rewardFraction is within an expected range ā¢ Ensure recipient is the address of the valid RNG relay contract ā¢ Compare values to previously stored auction results to detect manipulation
Other
#0 - c4-pre-sort
2023-08-08T04:13:19Z
raymondfam marked the issue as duplicate of #82
#1 - c4-pre-sort
2023-08-08T04:13:29Z
raymondfam marked the issue as low quality report
#2 - c4-judge
2023-08-14T02:51:21Z
HickupHH3 marked the issue as satisfactory