Exploring Missed Vulnerabilities: Code4rena ENS Audit Contest
The ENS Contest involved a relatively compact codebase for auditing, comprising approximately 200 lines of code. The identified issues, while not complex, mainly consisted of standard problems that have been previously reported. The code demonstrated robustness and clarity, making it easy to comprehend. In the following discussion, I will highlight some of the noteworthy discoveries from the contest.
The Findings
M-01. Some tokens enable the direct draining of all approved
ERC20Votestokens
The Vulnerability: In the case where the token employed as ERC20Votes responds with a boolean false from transferFrom() instead of reverting, it opens up the possibility for any user to transfer an arbitrary “X” amount of tokens to any delegate through delegateMulti().
Learning: This issue falls into the category of a standard concern, and its mitigation involves the utilization of SafeERC20.sol through safeTransferFrom(). Ensuring this safeguard would prevent the vulnerability.
[L-01]
assert()does not provide any information when thrown.
The Vulnerability: assert() is triggered when a user tries to re-delegate an amount exceeding the existing total, and it fails to provide an error message.
Learning: Employing assert() in this context is not considered good practice. It is advisable to use require() instead, as it enhances clarity and error reporting.
[L-02] OpenZeppelin’s ERC1155 forces contract recipients to implement
onERC115Received
The Vulnerability: In OpenZeppelin’s ERC1155, the _mintBatch() function demands that a contract user must be capable of accepting the token, meaning it implements the ERC721-like safe mint mechanism by default. An exceptional situation arises when the contract receiver is a MultiSig contract.
Learning: It’s crucial to anticipate potential edge cases. With Account Abstraction becoming commonplace, always contemplate how the token/NFT may interact with various types of recipients, such as contracts, MultiSig Wallets, etc.
ENS Contest Audit Report — https://code4rena.com/reports/2023-10-ens
Thank For Reading.
