Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

QA Report #483

Closed
code423n4 opened this issue Oct 10, 2022 · 2 comments
Closed

QA Report #483

code423n4 opened this issue Oct 10, 2022 · 2 comments
Labels
bug Something isn't working edited-by-warden invalid This doesn't seem right QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@code423n4
Copy link
Contributor

code423n4 commented Oct 10, 2022
edited

[L-01] Unsafe ERC20 tokens transferring

Targets

Impact

Seller might not receive the payment for their token in the case when the ERC20 transfer fails and doesn't revert.

Proof of Concept

ExecutionDelegate is used to transfer payments from buyers to sellers. Payments are ERC20 tokens, and some ERC20
implementations (e.g. ZRX) return a
boolean on failure instead of reverting. In case such token is used as payment token, a failed transfer won't cause a
revert. Since ExecutionDelegate doesn't verify the return value of safeTransfer,
a failed transfer will result in a false positive: the seller won't get the payment, but the buyer will receive the token.

While only WETH (which reverts on failures) is allowed to be used as the payment token in the current implementation,
future modifications of the code might introduce new tokens, or the current version of the code might be deployed to
networks that use a non-reverting ERC20 wrapper implementation for their native currency.

Recommended Mitigation Steps

Consider validating the return value of the ERC20.safeTransferFrom in ExecutionDelegate. Use OpenZeppelin's SafeERC20
as a reference.

[NC-01] Opened and Closed events can be emitted when exchange is already opened/closed

Targets

Impact

Opened and Closed events can be emitted when is already in opened/closed state. This can cause confusion in off-chain
services that track activity of the exchange.

Recommended Mitigation Steps

Disallow emitting of Opened and Closed events when exchange is already in the target state.

[NC-02] Missing indexed field in events

Targets

Impact

Indexed fields allow to search events by values of indexed fields, which makes historical analysis of smart contracts
possible.

Recommended Mitigation Steps

Add indexed fields to events that don't have them.

[NC-03] ecrecover is malleable

Targets

Impact

The ecrecover function allows malleable signatures: a signature remain valid if its s-value gets flipped into the other
half of its range. Since a malleability check is missed in the code, it's allowed to submit signatures with either s-value.
However, this doesn't bear any risks, thus the non-critical status of the finding.

Recommended Mitigation Steps

Consider adding a malleability check.

[NC-04] Redundant v-value check in _recover

Targets

Impact

The v-value check is redundant since all client implementations check it. See:

  1. Remove invalid signature check on v in ECDSA
  2. https://twitter.com/alexberegszaszi/status/1534461421454606336
  3. Explain that ecrecover only accepts v={27,28}

Recommended Mitigation Steps

Consider removing the redundant v-value check.
@code423n4 code423n4 added bug Something isn't working QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Oct 10, 2022
code423n4 added a commit that referenced this issue Oct 10, 2022
@code423n4
Jeiwan issue #483
46514bf
code423n4 added a commit that referenced this issue Oct 10, 2022
@code423n4
Jeiwan data for issue #483
14bb0cb
code423n4 added a commit that referenced this issue Oct 10, 2022
@code423n4
Report for issue #483 updated by Jeiwan
09b56e6
@GalloDaSballo
Copy link
Collaborator

GalloDaSballo commented Oct 23, 2022
edited

[L-01] Unsafe ERC20 tokens transferring

TODO - M-01

[NC-01] Opened and Closed events can be emitted when exchange is already opened/closed

NC

[NC-02] Missing indexed field in events

Disagree with blanket statement

[NC-03] ecrecover is malleable

Valid but R as not clash in this system

[NC-04] Redundant v-value check in _recover

NC

Neat report, maybe a little short but quality of findings is good

@GalloDaSballo
Copy link
Collaborator

1R 2NC

@code423n4 code423n4 mentioned this issue Nov 7, 2022
Closed
@JeeberC4 JeeberC4 added invalid This doesn't seem right unsatisfactory does not satisfy C4 submission criteria; not eligible for awards labels Nov 8, 2022
@JeeberC4 JeeberC4 closed this as completed Nov 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working edited-by-warden invalid This doesn't seem right QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@GalloDaSballo @code423n4 @JeeberC4