Back to sorrynotsorry's contests

Canto contest - sorrynotsorry's results

Execution layer for original work.

General Information

Platform: Code4rena

Start Date: 23/11/2022

Pot Size: $24,500 CANTO

Total HM: 5

Participants: 37

Period: 5 days

Judge: berndartmueller

Total Solo HM: 2

Id: 185

League: ETH

Canto

Findings Distribution

Researcher Performance

Rank: 4/37

Findings: 1

Award: $2,197.91

🌟 Selected for report: 1

🚀 Solo Findings: 1

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCanto

Findings Information

🌟 Selected for report: sorrynotsorry

Labels

bug
2 (Med Risk)
primary issue
selected for report
sponsor acknowledged
M-03

Awards

13609.3591 CANTO - $2,197.91

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-11-canto/blob/2733fdd1bee73a6871c6243f92a007a0b80e4c61/CIP-001/src/Turnstile.sol#L86-L101 https://github.com/code-423n4/2022-11-canto/blob/2733fdd1bee73a6871c6243f92a007a0b80e4c61/CIP-001/src/Turnstile.sol#L107-L120

Vulnerability details

Impact

There is no re-register or re-assign option for the smart contracts.

Let's assume a smart contract is registered either through the register() function with a new NFT minted or the assign() function to an existing NFT. However, if somehow, the NFT is burned by the owner or transferred to another owner either by an approval or compromised tx, there is no option to re-register for these contracts which create gas fees but might not get a fee distribution in return.

And if the NFT is burned or transferred to another owner, the smart contracts will lose the fees generated if not previously withdrawn.

Proof of Concept

register function;

    function register(address _recipient) public onlyUnregistered returns (uint256 tokenId) {
        address smartContract = msg.sender;

        if (_recipient == address(0)) revert InvalidRecipient();

        tokenId = _tokenIdTracker.current();
        _mint(_recipient, tokenId);
        _tokenIdTracker.increment();

        emit Register(smartContract, _recipient, tokenId);

        feeRecipient[smartContract] = NftData({
            tokenId: tokenId,
            registered: true
        });
    }

Permalink

assign function;

    function assign(uint256 _tokenId) public onlyUnregistered returns (uint256) {
        address smartContract = msg.sender;

        if (!_exists(_tokenId)) revert InvalidTokenId();

        emit Assign(smartContract, _tokenId);

        feeRecipient[smartContract] = NftData({
            tokenId: _tokenId,
            registered: true
        });

        return _tokenId;
    }

Permalink

Tools Used

Manual Review

The team might consider adding an option to validate historical registrations and re-register those contracts accordingly.

#0 - c4-judge

2022-12-05T10:42:50Z

berndartmueller marked the issue as duplicate of #134

#1 - c4-judge

2022-12-05T10:45:28Z

berndartmueller marked the issue as not a duplicate

#2 - c4-sponsor

2022-12-17T22:10:19Z

tkkwon1998 marked the issue as sponsor acknowledged

#3 - tkkwon1998

2022-12-17T22:11:30Z

Currently there is no way to re-assign or re-register. This is a known limitation, and will be made extremely clear to all devs registering their contracts.

#4 - c4-judge

2023-01-02T12:27:36Z

berndartmueller marked the issue as selected for report

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter