Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

QA Report #130

Open
code423n4 opened this issue Jul 19, 2022 · 0 comments
Open

QA Report #130

code423n4 opened this issue Jul 19, 2022 · 0 comments
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

Low

1. Very Outdated packages

Some used packages are out of date, it is good practice to use the latest version of these packages:

"@ensdomains/buffer": "^0.0.13" => 0.1.0
"@openzeppelin/contracts": "^4.1.0" => 4.7.0

2. Outdated compiler

The pragma version used is:

pragma solidity ^0.8.4;
pragma solidity ^0.8.13;

But recently solidity released a new version with important Bugfixes:

  • The first one is related to ABI-encoding nested arrays directly from calldata. You can find more information here.

  • The second bug is triggered in certain inheritance structures and can cause a memory pointer to be interpreted as a calldata pointer or vice-versa. We also have a dedicated blog post about this bug.

Apart from these, there are several minor bug fixes and improvements.

The minimum required version should be 0.8.15

3. Lack of ACK during owner change

It's possible to lose the ownership under specific circumstances.

Because an human error it's possible to set a new invalid owner. When you want to change the owner's address it's better to propose a new owner, and then accept this ownership with the new wallet.

Affected source code:

4. Lack of check

The following lines requires a valid address as an argument, in some of them, once the value is set, it cannot be changed again, so it is mandatory to check if these values are as expected.

Affected source code for address(0):

5. Ether could be blocked

The user's ether could be locked and unrecoverable.

Because to transfer ether the .transfer method (which is capped at 2300 gas) is used instead of .call which is limited to the gas provided by the user. If a contract that has a fallback method more expensive than 2300 gas, creates an offer, it will be impossible for this contract cancel the offer or receive funds back to that address.

Reference:

  • transfer -> The receiving smart contract should have a fallback function defined or else the transfer call will throw an error. There is a gas limit of 2300 gas, which is enough to complete the transfer operation. It is hardcoded to prevent reentrancy attacks.
  • send -> It works in a similar way as to transfer call and has a gas limit of 2300 gas as well. It returns the status as a boolean.
  • call -> It is the recommended way of sending ETH to a smart contract. The empty argument triggers the fallback function of the receiving address.

Affected lines:

High impact:

Low impact:

Recommended Mitigation Steps:

  • Use .call instead of .transfer.

6. Use encode instead of encodePacked for hashig

Use of abi.encodePacked is safe, but unnecessary and not recommended. abi.encodePacked can result in hash collisions when used with two dynamic arguments (string/bytes).

There is also discussion of removing abi.encodePacked from future versions of Solidity (ethereum/solidity#11593), so using abi.encode now will ensure compatibility in the future.

Affected source code:

7. Logic mismatch in ERC1155Fuse

In the contract ERC1155Fuse the methods safeTransferFrom and safeBatchTransferFrom has different logic when the to is the same owner. if the user use safeTransferFrom to transfer a not owned item to the same owner, nothing will happend, and no-revert will ocurr, but if you use safeBatchTransferFrom a revert will happend.

In the ERC1155Fuse contract, the safeTransferFrom and safeBatchTransferFrom methods have different logic when the destination (to) is the owner. if the user uses safeTransferFrom to transfer an item that they don't own to the same owner, nothing will happen and it won't be reverted, but if they use safeBatchTransferFrom, it will be reverted.

Affected source code:

8. now alias should be avoided

There is an argument named now, this is an alias that could work in a different way with different versions of solidity because it's a reserved word. As the documentation said is not critical, but should be avoided.

In version 0.7.0, the alias now (for block.timestamp) was removed.

Reference:

Affected source code:

Non-Critical or OutOfScope

9. Open TODO

The code that contains "open todos" reflects that the development is not finished and that the code can change a posteriori, prior release, with or without audit.

Affected source code:

10. [OutOfScope] Use abstract for base contracts

Abstract contracts are contracts that have at least one function without its implementation. An instance of an abstract cannot be created.

Reference:

Affected source code:

11. [OutOfScope] Lack of auth

The following methods do not have any authentication and the states can be modified by anyone:

https://github.com/code-423n4/2022-07-ens/blob/ff6e59b9415d0ead7daf31c2ed06e86d9061ae22/contracts/ethregistrar/TestResolver.sol#L21
https://github.com/code-423n4/2022-07-ens/blob/ff6e59b9415d0ead7daf31c2ed06e86d9061ae22/contracts/ethregistrar/DummyOracle.sol#L11
https://github.com/code-423n4/2022-07-ens/blob/ff6e59b9415d0ead7daf31c2ed06e86d9061ae22/contracts/registry/TestRegistrar.sol#L31

@code423n4 code423n4 added bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Jul 19, 2022
code423n4 added a commit that referenced this issue Jul 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Development

No branches or pull requests

1 participant