Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some ETH may be locked in the contract #332

Closed
howlbot-integration bot opened this issue Aug 9, 2024 · 6 comments
Closed

Some ETH may be locked in the contract #332

howlbot-integration bot opened this issue Aug 9, 2024 · 6 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-218 grade-c QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_54_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@howlbot-integration
Copy link

Lines of code

https://github.com/code-423n4/2024-07-traitforge/blob/main/contracts/EntityForging/EntityForging.sol#L126 https://github.com/code-423n4/2024-07-traitforge/blob/main/contracts/EntityForging/EntityForging.sol#L146-L159

Vulnerability details

Impact

The msg.value passed in when the forgeWithListed function of the EntityForging contract is called can be greater than the forgingFee. However, when processing the incoming eth, the sum of devFee and forgerShare is equal to the forgingFee. If msg.value is greater than forgingFee, then the eth of msg.value-forgingFee will be left in the contract and cannot be withdrawn.

Proof of Concept

Relevant code:
https://github.com/code-423n4/2024-07-traitforge/blob/main/contracts/EntityForging/EntityForging.sol#L126
https://github.com/code-423n4/2024-07-traitforge/blob/main/contracts/EntityForging/EntityForging.sol#L146-L159

Modify some code in the official test case EntityForging.test.ts:

  describe('Forge With Listed', () => {
    it('should allow forging with a listed token', async () => {
      const forgerTokenId = FORGER_TOKEN_ID;
      const mergerTokenId = MERGER_TOKEN_ID;

      const initialBalance = await ethers.provider.getBalance(owner.address);

      const forgerEntropy = await nft.getTokenEntropy(forgerTokenId);
      const mergerEntrypy = await nft.getTokenEntropy(mergerTokenId);
      /// The new token id will be forger token id + 1, cause it's the last item
      const expectedTokenId = FORGER_TOKEN_ID + 1;
      await expect(
        entityForging
          .connect(user1)
          .forgeWithListed(forgerTokenId, mergerTokenId, {
            value: ethers.parseEther('1.1'),
          })
      )
        .to.emit(entityForging, 'EntityForged')
        .withArgs(
          expectedTokenId,
          forgerTokenId,
          mergerTokenId,
          (forgerEntropy + mergerEntrypy) / 2n,
          FORGING_FEE
        )
        .to.emit(nft, 'NewEntityMinted')
        .withArgs(
          await user1.getAddress(),
          expectedTokenId,
          2,
          (forgerEntropy + mergerEntrypy) / 2n
        );

      const finalBalance = await ethers.provider.getBalance(owner.address);
      const contractBalance = await ethers.provider.getBalance(entityForging.getAddress());

      expect(finalBalance - initialBalance).to.be.eq((FORGING_FEE * 9n) / 10n);
      // Check forger nft delisted
      expect(contractBalance).to.equal(0, "Error: Contract still has balance remaining");

      const listingInfo = await entityForging.listings(forgerTokenId);

      expect(listingInfo.isListed).to.be.eq(false);
    });
  });

Test output:

    listForForging
      ✔ should not allow non-owners to list a token for forging
      ✔ should allow the owner to list a token for forging
    Forge With Listed
      1) should allow forging with a listed token
    Auto cancel listing after list for sale in EntityTrading
      ✔ Shoudl cancel list for forging after list for sale in Entity Trading


  3 passing (783ms)
  1 failing

  1) EntityForging
       Forge With Listed
         should allow forging with a listed token:

      AssertionError: Error: Contract still has balance remaining: expected 100000000000000000 to equal 0.
      + expected - actual

      -100000000000000000
      +0

      at Context.<anonymous> (test\EntityForging.test.ts:188:34)

Tools Used

vscode, hardhat

Recommended Mitigation Steps

It is recommended to modify the code at EntityForging.sol#L126 to:

require(msg.value == forgingFee, 'Insufficient fee for forging');

Assessed type

ETH-Transfer
@howlbot-integration howlbot-integration bot added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value 🤖_54_group AI based duplicate group recommendation bug Something isn't working duplicate-218 sufficient quality report This report is of sufficient quality labels Aug 9, 2024
howlbot-integration bot added a commit that referenced this issue Aug 9, 2024
@howlbot-integration
hxzy issue #332
d0d29d8
@c4-judge
Copy link
Contributor

koolexcrypto changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax grade-c unsatisfactory does not satisfy C4 submission criteria; not eligible for awards and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Aug 18, 2024
@c4-judge
Copy link
Contributor

koolexcrypto marked the issue as grade-c

@c4-judge c4-judge reopened this Aug 31, 2024
@c4-judge
Copy link
Contributor

This previously downgraded issue has been upgraded by koolexcrypto

@c4-judge c4-judge added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value and removed downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Aug 31, 2024
@c4-judge
Copy link
Contributor

koolexcrypto marked the issue as duplicate of #687

@c4-judge
Copy link
Contributor

c4-judge commented Sep 5, 2024

koolexcrypto marked the issue as duplicate of #218

@c4-judge
Copy link
Contributor

c4-judge commented Sep 6, 2024

koolexcrypto changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Sep 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-218 grade-c QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax 🤖_54_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@c4-judge