Art Gobblers contest - throttle's results

Experimental Decentralized Art Factory By Justin Roiland and Paradigm.

General Information

Platform: Code4rena

Start Date: 20/09/2022

Pot Size: $100,000 USDC

Total HM: 4

Participants: 109

Period: 7 days

Judge: GalloDaSballo

Id: 163

League: ETH

Art Gobblers

Findings Distribution

Researcher Performance

Rank: 56/109

Findings: 1

Award: $55.20

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Art Gobblers

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0x4non, 0x52, 0x5rings, 0xNazgul, 0xRobocop, 0xSmartContract, 0xdeadbeef, 0xsanson, 8olidity, Amithuddar, Aymen0909, B2, B353N, CertoraInc, Ch_301, Chom, CodingNameKiki, Deivitto, ElKu, Funen, JC, JohnnyTime, Kresh, Lambda, Noah3o6, RaymondFam, ReyAdmirado, RockingMiles, Rolezn, Sm4rty, SuldaanBeegsi, Tadashi, TomJ, Tomio, V_B, Waze, __141345__, a12jmx, ak1, arcoun, asutorufos, aviggiano, berndartmueller, bharg4v, bin2chen, brgltd, bulej93, c3phas, catchup, cccz, ch0bu, cryptonue, cryptphi, csanuragjain, delfin454000, devtooligan, djxploit, durianSausage, eighty, erictee, exd0tpy, fatherOfBlocks, giovannidisiena, hansfriese, ignacio, joestakey, ladboy233, lukris02, m9800, malinariy, martin, minhtrng, obront, oyc_109, pedr02b2, pedroais, pfapostol, philogy, prasantgupta52, rbserver, ronnyx2017, rotcivegaf, rvierdiiev, sach1r0, shung, simon135, throttle, tnevler, tonisives, wagmi, yixxas, zkhorse, zzykxx, zzzitron

Awards

55.1985 USDC - $55.20

Labels

bug

disagree with severity

QA (Quality Assurance)

old-submission-method

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/ArtGobblers.sol#L560-L567

Vulnerability details

Impact

Reveal feature halted. Unfair disadvantage for holders with unrevealed Gobblers

Proof of Concept

https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/ArtGobblers.sol#L560-L567

When setting new oracle there is no validation if the new address is address(0) or a smart contract

The severity here is that an orcale randomness feed might be temporarily halt and with that the reveal feature is halted. And this is detrimental to the unrevealed Gobbler holders because they are late in Goo emissions which means they lose purchasing power.

Tools Used

Manual review

Recommended Mitigation Steps

Validate oracle address

#0 - Shungy
2022-09-28T13:37:25Z

It can be upgraded again to a proper address.

#1 - GalloDaSballo
2022-10-09T16:35:47Z

Address(0) -> Low

Art Gobblers contest - throttle's results

Experimental Decentralized Art Factory By Justin Roiland and Paradigm.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-96] QA Report - $55.20

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - Shungy2022-09-28T13:37:25Z

#1 - GalloDaSballo2022-10-09T16:35:47Z

#2 - GalloDaSballo2022-10-09T16:35:49Z

#0 - Shungy
2022-09-28T13:37:25Z

#1 - GalloDaSballo
2022-10-09T16:35:47Z

#2 - GalloDaSballo
2022-10-09T16:35:49Z