Back to zach's contests

NextGen - zach's results

Advanced smart contracts for launching generative art projects on Ethereum.

General Information

Platform: Code4rena

Start Date: 30/10/2023

Pot Size: $49,250 USDC

Total HM: 14

Participants: 243

Period: 14 days

Judge: 0xsomeone

Id: 302

League: ETH

NextGen

Findings Distribution

Researcher Performance

Rank: 52/243

Findings: 1

Award: $137.89

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryNextGen

Findings Information

🌟 Selected for report: The_Kakers

Also found by: 0xblackskull, BugzyVonBuggernaut, Draiakoo, Stryder, VAD37, alexfilippov314, mrudenko, rotcivegaf, xAriextz, xuwinnie, zach

Labels

bug
2 (Med Risk)
partial-50
sponsor disputed
sufficient quality report
duplicate-741

Awards

137.8889 USDC - $137.89

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L150 https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L257

Vulnerability details

Impact Collection admin can overwrite the collectionArtistAddress when the collectionTotalSupply is zero. This can lead to confusion, incorrect attribution of artwork ownership, and potential disputes between artists and collection administrators. Proof of Concept The vulnerability exists in the setCollectionData function, allowing the collection admin to replace the collectionArtistAddress when the current collectionTotalSupply is zero. This inconsistency occurs as the collection admin can update the collectionArtistAddress. Consequently, this prevents the intended artist from registering their signature for the selected collectionId.

  1. collection admin calls the setCollectionData function for the first time and the _collectionTotalSupply is zero, and the _collectionArtistAddress is A https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L147
  2. artist A calls the artistSignature function to register his signature. https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L257
  3. collection admin calls setCollectionData again with another artist B, it can be updated successfully because the collectionTotalSupply is zero. https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L149
  4. However, artist B cannot update the artistSignature because it has already been registered by artist A. https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L257

Tools Used Manual Review Recommended Mitigation Steps Provide function to update artistSignature

Assessed type

Access Control

#0 - c4-pre-sort

2023-11-15T14:44:46Z

141345 marked the issue as sufficient quality report

#1 - c4-pre-sort

2023-11-16T00:50:29Z

141345 marked the issue as primary issue

#2 - c4-sponsor

2023-11-23T09:37:00Z

a2rocket (sponsor) disputed

#3 - a2rocket

2023-11-23T09:37:42Z

once the collection supply is not set the artist can change. When the collectionSupply is set but artist did not sign yet, the address can change. When the artists signed it cannot change. This is the intended design.

#4 - c4-judge

2023-12-06T15:14:47Z

alex-ppg marked issue #741 as primary and marked this issue as a duplicate of 741

#5 - c4-judge

2023-12-08T21:56:48Z

alex-ppg marked the issue as partial-50

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter