Back to twcctop's contests

Revolution Protocol - twcctop's results

A protocol to empower communities to raise funds, fairly distribute governance, and maximize their impact in the world.

General Information

Platform: Code4rena

Start Date: 13/12/2023

Pot Size: $36,500 USDC

Total HM: 18

Participants: 110

Period: 8 days

Judge: 0xTheC0der

Id: 311

League: ETH

Collective

Findings Distribution

Researcher Performance

Rank: 63/110

Findings: 2

Award: $45.37

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCollective

Findings Information

🌟 Selected for report: osmanozdemir1

Also found by: 0xCiphky, 0xDING99YA, 0xlemon, 0xluckhu, AS, Abdessamed, BARW, KupiaSec, MrPotatoMagic, SovaSlava, SpicyMeatball, ast3ros, bart1e, hakymulla, ktg, n1punp, plasmablocks, shaka, twcctop

Awards

44.0266 USDC - $44.03

Labels

bug
3 (High Risk)
satisfactory
sufficient quality report
upgraded by judge
duplicate-210

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-12-revolutionprotocol/blob/08ff070da420e95d7c7ddf9d068cbf54433101c4/packages/revolution/src/ERC20TokenEmitter.sol#L152-L230

Vulnerability details

Impact

Possible token gets stuck when buyToken, buyToken tokens are not fully sent

Proof of Concept

In buytoken, there are two send token logic

       (bool success, ) = treasury.call{ value: toPayTreasury }(new bytes(0));
        require(success, "Transfer failed.");

        //Transfer ETH to creators
        if (creatorDirectPayment > 0) {
            (success, ) = creatorsAddress.call{ value: creatorDirectPayment }(new bytes(0));
            require(success, "Transfer failed.");
        }

And there is no other send token logic, the issue is toPayTreasury and creatorDirectPayment is possible not equal the total msgValueRemaining .

According to the logic

 int totalTokensForCreators = ((msgValueRemaining - toPayTreasury) - creatorDirectPayment) > 0
            ? getTokenQuoteForEther((msgValueRemaining - toPayTreasury) - creatorDirectPayment)
            : int(0);

((msgValueRemaining - toPayTreasury) - creatorDirectPayment) is possible to >0 , this part of token is possible to get stuck in contract.

Tools Used

manual

this part of token should send to creator or treasury

Assessed type

Context

#0 - c4-pre-sort

2023-12-22T00:59:27Z

raymondfam marked the issue as sufficient quality report

#1 - c4-pre-sort

2023-12-22T00:59:38Z

raymondfam marked the issue as duplicate of #13

#2 - c4-pre-sort

2023-12-24T02:55:05Z

raymondfam marked the issue as duplicate of #406

#3 - c4-judge

2024-01-05T23:06:19Z

MarioPoneder changed the severity to 3 (High Risk)

#4 - c4-judge

2024-01-05T23:07:00Z

MarioPoneder marked the issue as satisfactory

Findings Information

🌟 Selected for report: jnforja

Also found by: 0x175, 0xCiphky, 0xDING99YA, 0xmystery, ArmedGoose, Aymen0909, Franklin, KupiaSec, McToady, MrPotatoMagic, Ocean_Sky, PNS, Pechenite, TermoHash, Topmark, _eperezok, alexbabits, deth, hals, imare, jeff, ktg, leegh, mahdirostami, marqymarq10, mojito_auditor, neocrao, ptsanev, twcctop, zraxx

Awards

1.337 USDC - $1.34

Labels

bug
2 (Med Risk)
downgraded by judge
grade-c
partial-50
sufficient quality report
duplicate-515

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-12-revolutionprotocol/blob/08ff070da420e95d7c7ddf9d068cbf54433101c4/packages/revolution/src/AuctionHouse.sol#L336-L361 https://github.com/code-423n4/2023-12-revolutionprotocol/blob/08ff070da420e95d7c7ddf9d068cbf54433101c4/packages/revolution/src/AuctionHouse.sol#L287-L291

Vulnerability details

Impact

setReservePrice may affect the settleAuction logic

Proof of Concept

   function _settleAuction() internal {
        ...
        if (address(this).balance < reservePrice) {
        ...
            // And then burn the Noun
            verbs.burn(_auction.verbId);

In function _settleAuction , if the balance of the contract is less than reservePrice, the verb nft will burn and not send to the bidder. Let's take a look when will situation happen, in createBid, there do have reservePrice check,
the situation address(this).balance < reservePrice in _settleAuction happens only when the admin role change reservePrice during a auction.

  function setReservePrice(uint256 _reservePrice) external override onlyOwner {
        reservePrice = _reservePrice;

        emit AuctionReservePriceUpdated(_reservePrice);
    }

So the issue is, during a auction, one user have the highest bid but due to the change of reservePrice , this user can not get the nft.

Tools Used

manual

should transfer nft to the bidder

Assessed type

Context

#0 - c4-pre-sort

2023-12-21T23:47:38Z

raymondfam marked the issue as sufficient quality report

#1 - c4-pre-sort

2023-12-21T23:48:07Z

raymondfam marked the issue as duplicate of #55

#2 - c4-pre-sort

2023-12-24T14:17:44Z

raymondfam marked the issue as duplicate of #495

#3 - c4-judge

2024-01-06T18:14:50Z

MarioPoneder changed the severity to QA (Quality Assurance)

#4 - c4-judge

2024-01-07T16:02:49Z

MarioPoneder marked the issue as grade-c

#5 - c4-judge

2024-01-10T17:32:52Z

This previously downgraded issue has been upgraded by MarioPoneder

#6 - c4-judge

2024-01-10T17:33:11Z

MarioPoneder marked the issue as duplicate of #515

#7 - c4-judge

2024-01-10T17:34:18Z

MarioPoneder marked the issue as partial-50

#8 - c4-judge

2024-01-11T18:03:12Z

MarioPoneder changed the severity to 2 (Med Risk)

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter