Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Owner can rug reward NFT from the winner #171

Closed
code423n4 opened this issue Dec 15, 2022 · 3 comments
Closed

Owner can rug reward NFT from the winner #171

code423n4 opened this issue Dec 15, 2022 · 3 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-146 edited-by-warden satisfactory satisfies C4 submission criteria; eligible for awards upgraded by judge Original issue severity upgraded from QA/Gas by judge

Comments

@code423n4
Copy link
Contributor

code423n4 commented Dec 15, 2022
edited
Loading

Lines of code

https://github.com/code-423n4/2022-12-forgeries/blob/main/src/VRFNFTRandomDraw.sol#L83-L88
https://github.com/code-423n4/2022-12-forgeries/blob/main/src/VRFNFTRandomDraw.sol#L159
https://github.com/code-423n4/2022-12-forgeries/blob/main/src/VRFNFTRandomDraw.sol#L314-L317

Vulnerability details

Impact

Settings variable drawBufferTime represents the buffer time that forbids owner to trigger redraw and thus allows winner to claim the reward NFT via winnerClaimNFT function. There is also another recoverTimelock settings variable that defines time when the owner can reclaim the reward NFT via lastResortTimelockOwnerClaimNFT. The issue is that drawBufferTime and recoverTimelock are not correctly checked which leads to situation that both triggering winnerClaimNFT and lastResortTimelockOwnerClaimNFT is possible.

Example 1:

  1. Draw is initialized with:
    • drawBufferTime 1 month
    • recoverTimeLock 1 week
  2. startDraw() is called by the owner
    • drawTimeLock is set to the next month
    • recoverTimeLock is always set to 1 week
  3. Winner thinks that he has 1 month to claim the reward NFT, but after 1 week owner withdraws NFT not letting the winner to claim the reward.

The issue is also present in case there are multiple redraws (via redraw function) that lead to expiration of recoverTimeLock which allows owner to trigger lastResortTimelockOwnerClaimNFT function.

Proof of Concept

Recommended Mitigation Steps

It is recommended to set drawBufferTime and recoverTimeLock to values that will hold relationship recoverTimeLock = block.timestamp + drawBufferTime + X. In addition value of recoverTimeLock should be set properly in every _requestRoll function execution. Disallow owner to withdraw the NFT before the drawTimelock is expired.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Dec 15, 2022
code423n4 added a commit that referenced this issue Dec 15, 2022
@code423n4
Apocalypto issue #171
188c740
@c4-judge
Copy link
Contributor

gzeon-c4 marked the issue as duplicate of #146

@c4-judge
Copy link
Contributor

gzeon-c4 marked the issue as satisfactory

@c4-judge c4-judge added satisfactory satisfies C4 submission criteria; eligible for awards 3 (High Risk) Assets can be stolen/lost/compromised directly upgraded by judge Original issue severity upgraded from QA/Gas by judge and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Jan 23, 2023
@c4-judge
Copy link
Contributor

gzeon-c4 changed the severity to 3 (High Risk)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-146 edited-by-warden satisfactory satisfies C4 submission criteria; eligible for awards upgraded by judge Original issue severity upgraded from QA/Gas by judge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@code423n4 @c4-judge