Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA Report #9

Open
code423n4 opened this issue Feb 10, 2022 · 5 comments
Open

QA Report #9

code423n4 opened this issue Feb 10, 2022 · 5 comments
Assignees
@maximebrugel
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Missing token whitelisting puts stakeholders on risk

Contract: https://github.com/code-423n4/2022-02-nested/blob/main/contracts/FeeSplitter.sol#L146

  1. Attacker can call sendFees with a malicious token contract

  2. This increases the share balance of malicious token for each stake holder

  3. When stakeholders tries to withdraw there share of malicious token using releaseTokens, malicious contract will be called and code written by attacker will be executed (asking for unauthorized approvals, wasting Gas etc)

sendFees & sendFeesWithRoyalties not handling ETH token

Contract: https://github.com/code-423n4/2022-02-nested/blob/main/contracts/FeeSplitter.sol#L175

  1. Both sendFees & sendFeesWithRoyalties are not considering if the input _token is ETH as done in releaseTokens

Incorrect return message

Contract: https://github.com/code-423n4/2022-02-nested/blob/main/contracts/abstracts/MixinOperatorResolver.sol#L101

  1. The require statement incorrectly mentions INVALID_OUTPUT_TOKEN when it should be INVALID_INPUT_TOKEN
@code423n4 code423n4 added QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax bug Something isn't working labels Feb 10, 2022
code423n4 added a commit that referenced this issue Feb 10, 2022
@code423n4
csanuragjain issue #9
e506817
@maximebrugel
Copy link
Collaborator

"Missing token whitelisting puts stakeholders on risk" (Disputed)

Yes and no... Yes it can run malicious code in the transfer function, but we can skip the token if we want.
Same logic can be applied to NestedFactory. We can't really change that since we are not "whitelisting" tokens.

"sendFees & sendFeesWithRoyalties not handling ETH token" (Disputed)

We are only sending fees with ERC20 (so WETH and not ETH). In the releaseTokens tokens we are unwrapping the WETH to transfer ETH.

"Incorrect return message" (Confirmed)

@maximebrugel maximebrugel added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Feb 10, 2022
This was referenced Feb 15, 2022
Open
Open
@maximebrugel maximebrugel self-assigned this Feb 16, 2022
@maximebrugel
Copy link
Collaborator

Fixed in #70 commit

@maximebrugel maximebrugel mentioned this issue Feb 16, 2022
Merged
@harleythedogC4
Copy link
Collaborator

My personal judgements:

  1. "Missing token whitelisting puts stakeholders on risk". User's don't need to interact with tokens if they don't want to. Invalid
  2. "sendFees & sendFeesWithRoyalties not handling ETH token". As sponsor describes. Invalid.
  3. "Incorrect return message". Valid and non-critical.

@harleythedogC4
Copy link
Collaborator

Also adding in the reduced severity finding #10:
4. "Royalty owner can steal Stakeholders fees". Just code consistency. Valid and non-critical.

@harleythedogC4 harleythedogC4 mentioned this issue Mar 3, 2022
Closed
@harleythedogC4
Copy link
Collaborator

Now, here is the methodology I used for calculating a score for each QA report. I first assigned each submission to be either non-critical (1 point), very-low-critical (5 points) or low-critical (10 points), depending on how severe/useful the issue is. The score of a QA report is the sum of these points, divided by the maximum number of points achieved by a QA report. This maximum number was 26 points, achieved by #66.

The number of points achieved by this report is 2 points.
Thus the final score of this QA report is (2/26)*100 = 8.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maximebrugel maximebrugel

Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@maximebrugel @code423n4 @harleythedogC4