Platform: Code4rena
Start Date: 03/05/2022
Pot Size: $30,000 USDC
Total HM: 6
Participants: 93
Period: 3 days
Judge: gzeon
Id: 118
League: ETH
Rank: 44/93
Findings: 2
Award: $78.98
🌟 Selected for report: 0
🚀 Solo Findings: 0
48.5872 USDC - $48.59
https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsMinter.sol#L610 https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsMinter.sol#L618 https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsGuild.sol#L164 https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsGuild.sol#L175 https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsMinter.sol#L629
In Minter:withdraw and Minter:withdrawAll, send is used to withdraw ETH from the contract to the designated vault address. send only forwards 2300 gas, and gas costs can change in the future. If the vault is a smart contract that requires more than 2300 gas to receive ETH, the call will always fail and thus the team will not be able to withdraw the funds.
There are also other uses of send and transfer that are linked above. I believe medium severity to be valid since the vault address can be changed if needed.
ForgottenRunesWarriorsMinter.sol contains withdraw():
function withdraw(uint256 _amount) public onlyOwner { require(address(vault) != address(0), 'no vault'); require(payable(vault).send(_amount)); }
Manual review
Replace all of these with the suggested call.value function and check the boolean return value. Since these functions are access controlled, re-entrancy is a non issue.
Reference: https://consensys.net/diligence/blog/2019/09/stop-using-soliditys-transfer-now/
#0 - KenzoAgada
2022-06-06T12:48:58Z
Duplicate of #254
#1 - gzeoneth
2022-06-18T17:23:30Z
This is true but also these are onlyOwner function where the owner have full control of the destination address to mitigate any issue in production. Downgrading to Low / QA.
🌟 Selected for report: defsec
Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0x52, 0xDjango, 0xf15ers, 0xkatana, 0xliumin, AuditsAreUS, BowTiedWardens, CertoraInc, Cr4ckM3, Funen, GimelSec, Hawkeye, IllIllI, Kulk0, M0ndoHEHE, MaratCerby, Picodes, Ruhum, TerrierLover, TrungOre, VAD37, WatchPug, berndartmueller, broccolirob, catchup, cccz, cryptphi, csanuragjain, delfin454000, dirk_y, eccentricexit, ellahi, fatherOfBlocks, gzeon, hake, hansfriese, hickuphh3, horsefacts, hubble, hyh, ilan, joestakey, kebabsec, kenta, kenzo, leastwood, m9800, marximimus, minhquanym, oyc_109, p4st13r4, pauliax, pedroais, peritoflores, plotchy, rajatbeladiya, reassor, rfa, robee, rotcivegaf, samruna, shenwilly, shung, simon135, sorrynotsorry, sseefried, teddav, throttle, tintin, unforgiven, z3s
30.3871 USDC - $30.39
No check for out-of-bounds array access when issuing refunds in issueRefunds. When looping through the provided start and end indexes, the endIdx can be >= the length of the array, throwing an error and reverting, wasting gas. https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsMinter.sol#L355
Add additional checks in setPhaseTimes for incorrect daStartTime and mintlistStartTime according to the timeline outlined. Especially for the daStartTime, since the logic around finalPrice is vital to other functions. https://github.com/code-423n4/2022-05-runes/blob/060b4f82b79c8308fe65674a39a07c44fa586cd3/contracts/ForgottenRunesWarriorsMinter.sol#L480-L500
#0 - cryppadotta
2022-05-05T02:27:00Z