community-challenges's People
Forkers
revmischa m0ham3dx fbitti cybermonitor cybernewbies johnh6enry materaj2 alejos4n richizo web3dopamine nullblockone fdlucifer arbazkiraak quicklearnpro kippis-research cloudjunky eth-hacker cache-and-burn eugenioclrc m5l14i11 attacker-codeninja wwx20 mihanixa allpaca crypto-forks marcinek89xl diop bapbao anajembaedwin vickey2968 web3secresearch web3secresearchcommunity-challenges's Issues
RareNFT and nonce issue
The POC for the RareNFT assumes that the nonce doesn't change between the off-chain reading and the on-chain attack but that's unrealistic when there are other users.
Luckily, the nonce and the latest token id are in sync, and the latest id can be deduced on-chain in O(logN) time, where N is the number of users who called mint after we read nonce.
edit: Actually, MockERC721.nftId is public so we can just read it in O(1).
When running checks, the NodeJS version should be upgraded
The results in: https://github.com/immunefi-team/community-challenges/pull/7/checks say:
You are using a version of Node.js that is not supported by Hardhat, and it may work incorrectly, or not work at all.
Please, upgrade your Node.js version.
Shouldn't we do that?
Challenge 6 description and POC are inaccurate/misleading
Challenge 6 (KYC) is not about signature malleability, which would consist in changing the signature without invalidating it. (Something is malleable if you can change its shape without breaking it.)
In this challenge, any invalid signature will do. There's no need to start from a valid signature and alter the last byte. In a minimal POC a user deploys an app and the attacker calls onboardWithSig using a 0 signature. That's it!
wipeout of Staking2Attack.sol in Challenge 5 is puzzling
Taking the situation of feeExempt as an example:
wipeout = uint248((tokenBalance * rewardBalance + lastReward * stake) / (stake - tokenBalance))
The above expression is equivalent to:
(wipeout + rewardBalance) = (wipeout - lastReward) * stake / tokenBalance
The left side of the equation represents the total reward(including we added) we need to receive, which is correct.
But there seems to be a issue on the right side of the equation, it should be the actual reward through calling sendReward
function.
It is calculated through the following code:
amount = _tokenInfo.totalReward - _stakerInfo.lastReward; // line-1
if (balance != 0) {
amount = (amount * staked) / balance;
}
As line-1 shows, actually wipeout
shouldn't be _TokenInfo.totalReward
, which should be _TokenInfo.totalReward -_ StacerInfo.lastReward
. _tokenInfo.totalReward - _stakerInfo.lastReward
means the value added by calling function addReward, which is wipeout
.
So I think the correct equation may be (wipeout + rewardBalance) = wipeout * stake / tokenBalance
, which can be used to derive the actual expression of wideout
as (tokenBalance * rewardBalance) / (staked - tokenBalance)
.
Of course, it's also possible that I misunderstood. Please help me correct it.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.