_payoutToken[s]() is not compatible with tokens with missing return value
#456
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
primary issue
Highest quality submission among a set of duplicates
responded
The Holograph team has reviewed and responded
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Comments
code423n4
added
2 (Med Risk)
This was referenced Oct 26, 2022
gzeoneth
added
primary issue
This was referenced Oct 28, 2022
Closed
Closed
|
Low priority, but can be updated to ensure compatibility with all ERC20 tokens |
CloudEllie
added
the
selected for report
15 tasks
alexanderattar
added a commit
to holographxyz/holograph-protocol
that referenced
this issue
Dec 2, 2022
alexanderattar
added a commit
to holographxyz/holograph-protocol
that referenced
this issue
Dec 6, 2022
* First pass at royalty contract improvements * Second pass on royalty improvements from C4 audit * Remove broken check * Minor check and comments added * Remove check for greater than 10000 tokens for ERC20s in royalties * Add usage notes for payout functions * Add logic to allow setting a slot to use either transfer or call * Add handling for code-423n4/2022-10-holograph-findings#456 * Fix tests by passing proper init code * Add dev note on _callOptionalReturn * Limit payout addresses to 10 * Add test for max addresses * Improvement/holo 614 royalties smart contracts tests (#86) * royalties distribution * removed comments Co-authored-by: Alexander <alexanderattar@gmail.com> * cleanup * check send amount on ethPayouts Co-authored-by: Natalie Bravo <natalie.bravo@outlook.com> Co-authored-by: Vitto <admin@vitto.io>
alexanderattar
added a commit
to holographxyz/holograph-protocol
that referenced
this issue
Dec 7, 2022
* Improvement/ HOLO 595 Enforce prettier / lint run on protocol (#81) * prettier and eslint setup to run action * fixed command on prettier action * fixed command on prettier action and package.json * fixed command on prettier action * Remove unknown prettier options * husky prepush check for linting and prettier * added husky prepare on package.json * fixed husky prepare on package.json * fixed husky pre-push Co-authored-by: Alexander <alexanderattar@gmail.com> * Add solhint config and fix prettier config (#83) * Feature/HOLO-604: implementing critical issue fixes (#84) * fixing critical issues * implemented suggestions * Featuer/HOLO-605: C4 medium risk fixes (#88) * init * fixes * enforcing msgSender on all source contract calls * fixing typo * fixing tests * test fixes and prettier * royatlies patch * removing unused library * Feature/adding generic contract type (#85) * fixing critical issues * adding generic contract type * implemented suggestions * merging latest from experimental branch * adding withdraw andmsgSender protection * adding withdraw andmsgSender protection * prettier * fixing typo * assembly memory fix * combined generic contract pr * deployments * deployments * adding support for `asciihex` compiler function * adding comments and fixing missed check * Feature/holo 613 rename pa1d to royalty (#90) * name change * Quick minor updates * Update reverts to use new ROYALTIES format * fix to test Co-authored-by: Vitto <admin@vitto.io> * royalties hotfix (#91) * royalties change * develop env deployments of royalties hotfix * Feature/holo 612 royalty smart contract improvements (#93) * First pass at royalty contract improvements * Second pass on royalty improvements from C4 audit * Remove broken check * Minor check and comments added * Remove check for greater than 10000 tokens for ERC20s in royalties * Add usage notes for payout functions * Add logic to allow setting a slot to use either transfer or call * Add handling for code-423n4/2022-10-holograph-findings#456 * Fix tests by passing proper init code * Add dev note on _callOptionalReturn * Limit payout addresses to 10 * Add test for max addresses * Improvement/holo 614 royalties smart contracts tests (#86) * royalties distribution * removed comments Co-authored-by: Alexander <alexanderattar@gmail.com> * cleanup * check send amount on ethPayouts Co-authored-by: Natalie Bravo <natalie.bravo@outlook.com> Co-authored-by: Vitto <admin@vitto.io> * Feature/HOLO-642: Implement Super Cold Storage logic into protocol (#92) * clean * implementing the super-cold-storage-signer * cleanup * Latest deployments 20221206 * Add external deployments back * Roll back to ff5b4ee due to incorrect deployment process on experimental env * Add latest deployments 20221206 Wed Dec 7 03:08:37 UTC 2022 Co-authored-by: Natalie Bravo <natalie.bravo@outlook.com> Co-authored-by: ACC01ADE <admin@vitto.io>
alexanderattar
added a commit
to holographxyz/holograph-protocol
that referenced
this issue
Dec 8, 2022
* Merge experimental * Experimental to Develop 20221206 (#95) * Improvement/ HOLO 595 Enforce prettier / lint run on protocol (#81) * prettier and eslint setup to run action * fixed command on prettier action * fixed command on prettier action and package.json * fixed command on prettier action * Remove unknown prettier options * husky prepush check for linting and prettier * added husky prepare on package.json * fixed husky prepare on package.json * fixed husky pre-push Co-authored-by: Alexander <alexanderattar@gmail.com> * Add solhint config and fix prettier config (#83) * Feature/HOLO-604: implementing critical issue fixes (#84) * fixing critical issues * implemented suggestions * Featuer/HOLO-605: C4 medium risk fixes (#88) * init * fixes * enforcing msgSender on all source contract calls * fixing typo * fixing tests * test fixes and prettier * royatlies patch * removing unused library * Feature/adding generic contract type (#85) * fixing critical issues * adding generic contract type * implemented suggestions * merging latest from experimental branch * adding withdraw andmsgSender protection * adding withdraw andmsgSender protection * prettier * fixing typo * assembly memory fix * combined generic contract pr * deployments * deployments * adding support for `asciihex` compiler function * adding comments and fixing missed check * Feature/holo 613 rename pa1d to royalty (#90) * name change * Quick minor updates * Update reverts to use new ROYALTIES format * fix to test Co-authored-by: Vitto <admin@vitto.io> * royalties hotfix (#91) * royalties change * develop env deployments of royalties hotfix * Feature/holo 612 royalty smart contract improvements (#93) * First pass at royalty contract improvements * Second pass on royalty improvements from C4 audit * Remove broken check * Minor check and comments added * Remove check for greater than 10000 tokens for ERC20s in royalties * Add usage notes for payout functions * Add logic to allow setting a slot to use either transfer or call * Add handling for code-423n4/2022-10-holograph-findings#456 * Fix tests by passing proper init code * Add dev note on _callOptionalReturn * Limit payout addresses to 10 * Add test for max addresses * Improvement/holo 614 royalties smart contracts tests (#86) * royalties distribution * removed comments Co-authored-by: Alexander <alexanderattar@gmail.com> * cleanup * check send amount on ethPayouts Co-authored-by: Natalie Bravo <natalie.bravo@outlook.com> Co-authored-by: Vitto <admin@vitto.io> * Feature/HOLO-642: Implement Super Cold Storage logic into protocol (#92) * clean * implementing the super-cold-storage-signer * cleanup * Latest deployments 20221206 * Add external deployments back * Roll back to ff5b4ee due to incorrect deployment process on experimental env * Add latest deployments 20221206 Wed Dec 7 03:08:37 UTC 2022 Co-authored-by: Natalie Bravo <natalie.bravo@outlook.com> Co-authored-by: ACC01ADE <admin@vitto.io> * Add latest develop deployments Wed Dec 7 17:57:20 UTC 2022 * Add latest develop deployments Wed Dec 7 17:57:20 UTC 2022 Co-authored-by: Natalie Bravo <natalie.bravo@outlook.com> Co-authored-by: ACC01ADE <admin@vitto.io>
ACC01ADE
added a commit
to holographxyz/holograph-protocol
that referenced
this issue
Dec 14, 2022
* Release/develop to testnet 20221207 (#96) * Merge experimental * Experimental to Develop 20221206 (#95) * Improvement/ HOLO 595 Enforce prettier / lint run on protocol (#81) * prettier and eslint setup to run action * fixed command on prettier action * fixed command on prettier action and package.json * fixed command on prettier action * Remove unknown prettier options * husky prepush check for linting and prettier * added husky prepare on package.json * fixed husky prepare on package.json * fixed husky pre-push Co-authored-by: Alexander <alexanderattar@gmail.com> * Add solhint config and fix prettier config (#83) * Feature/HOLO-604: implementing critical issue fixes (#84) * fixing critical issues * implemented suggestions * Featuer/HOLO-605: C4 medium risk fixes (#88) * init * fixes * enforcing msgSender on all source contract calls * fixing typo * fixing tests * test fixes and prettier * royatlies patch * removing unused library * Feature/adding generic contract type (#85) * fixing critical issues * adding generic contract type * implemented suggestions * merging latest from experimental branch * adding withdraw andmsgSender protection * adding withdraw andmsgSender protection * prettier * fixing typo * assembly memory fix * combined generic contract pr * deployments * deployments * adding support for `asciihex` compiler function * adding comments and fixing missed check * Feature/holo 613 rename pa1d to royalty (#90) * name change * Quick minor updates * Update reverts to use new ROYALTIES format * fix to test Co-authored-by: Vitto <admin@vitto.io> * royalties hotfix (#91) * royalties change * develop env deployments of royalties hotfix * Feature/holo 612 royalty smart contract improvements (#93) * First pass at royalty contract improvements * Second pass on royalty improvements from C4 audit * Remove broken check * Minor check and comments added * Remove check for greater than 10000 tokens for ERC20s in royalties * Add usage notes for payout functions * Add logic to allow setting a slot to use either transfer or call * Add handling for code-423n4/2022-10-holograph-findings#456 * Fix tests by passing proper init code * Add dev note on _callOptionalReturn * Limit payout addresses to 10 * Add test for max addresses * Improvement/holo 614 royalties smart contracts tests (#86) * royalties distribution * removed comments Co-authored-by: Alexander <alexanderattar@gmail.com> * cleanup * check send amount on ethPayouts Co-authored-by: Natalie Bravo <natalie.bravo@outlook.com> Co-authored-by: Vitto <admin@vitto.io> * Feature/HOLO-642: Implement Super Cold Storage logic into protocol (#92) * clean * implementing the super-cold-storage-signer * cleanup * Latest deployments 20221206 * Add external deployments back * Roll back to ff5b4ee due to incorrect deployment process on experimental env * Add latest deployments 20221206 Wed Dec 7 03:08:37 UTC 2022 Co-authored-by: Natalie Bravo <natalie.bravo@outlook.com> Co-authored-by: ACC01ADE <admin@vitto.io> * Add latest develop deployments Wed Dec 7 17:57:20 UTC 2022 * Add latest develop deployments Wed Dec 7 17:57:20 UTC 2022 Co-authored-by: Natalie Bravo <natalie.bravo@outlook.com> Co-authored-by: ACC01ADE <admin@vitto.io> * Add latest testnet deployments and abis (#97) * Add latest testnet deployments and abis * Update deployment salt history file for clarity * local changes * updates * fixes * clearer check for false * fixing nonce issue * multisig transfer * mainnet upgrade test * switching to networks npm package for multisig reference * cleanup on aisle 9 * fixed nonce bug for tests and adding recoverJob tests * nonce fix * test gas limit adjustment * adding details to bad gas for test Co-authored-by: Alexander <alexanderattar@users.noreply.github.com> Co-authored-by: Natalie Bravo <natalie.bravo@outlook.com>
alexanderattar
added a commit
to holographxyz/holograph-protocol
that referenced
this issue
Dec 14, 2022
* Improvement/ HOLO 595 Enforce prettier / lint run on protocol (#81) * prettier and eslint setup to run action * fixed command on prettier action * fixed command on prettier action and package.json * fixed command on prettier action * Remove unknown prettier options * husky prepush check for linting and prettier * added husky prepare on package.json * fixed husky prepare on package.json * fixed husky pre-push Co-authored-by: Alexander <alexanderattar@gmail.com> * Add solhint config and fix prettier config (#83) * Feature/HOLO-604: implementing critical issue fixes (#84) * fixing critical issues * implemented suggestions * Featuer/HOLO-605: C4 medium risk fixes (#88) * init * fixes * enforcing msgSender on all source contract calls * fixing typo * fixing tests * test fixes and prettier * royatlies patch * removing unused library * Feature/adding generic contract type (#85) * fixing critical issues * adding generic contract type * implemented suggestions * merging latest from experimental branch * adding withdraw andmsgSender protection * adding withdraw andmsgSender protection * prettier * fixing typo * assembly memory fix * combined generic contract pr * deployments * deployments * adding support for `asciihex` compiler function * adding comments and fixing missed check * Feature/holo 613 rename pa1d to royalty (#90) * name change * Quick minor updates * Update reverts to use new ROYALTIES format * fix to test Co-authored-by: Vitto <admin@vitto.io> * royalties hotfix (#91) * royalties change * develop env deployments of royalties hotfix * Feature/holo 612 royalty smart contract improvements (#93) * First pass at royalty contract improvements * Second pass on royalty improvements from C4 audit * Remove broken check * Minor check and comments added * Remove check for greater than 10000 tokens for ERC20s in royalties * Add usage notes for payout functions * Add logic to allow setting a slot to use either transfer or call * Add handling for code-423n4/2022-10-holograph-findings#456 * Fix tests by passing proper init code * Add dev note on _callOptionalReturn * Limit payout addresses to 10 * Add test for max addresses * Improvement/holo 614 royalties smart contracts tests (#86) * royalties distribution * removed comments Co-authored-by: Alexander <alexanderattar@gmail.com> * cleanup * check send amount on ethPayouts Co-authored-by: Natalie Bravo <natalie.bravo@outlook.com> Co-authored-by: Vitto <admin@vitto.io> * Feature/HOLO-642: Implement Super Cold Storage logic into protocol (#92) * clean * implementing the super-cold-storage-signer * cleanup * Latest deployments 20221206 * Add external deployments back * Roll back to ff5b4ee due to incorrect deployment process on experimental env * Add latest deployments 20221206 Wed Dec 7 03:08:37 UTC 2022 * Merge develop * HOLO-678: Deployment patches (#98) * Release/develop to testnet 20221207 (#96) * Merge experimental * Experimental to Develop 20221206 (#95) * Improvement/ HOLO 595 Enforce prettier / lint run on protocol (#81) * prettier and eslint setup to run action * fixed command on prettier action * fixed command on prettier action and package.json * fixed command on prettier action * Remove unknown prettier options * husky prepush check for linting and prettier * added husky prepare on package.json * fixed husky prepare on package.json * fixed husky pre-push Co-authored-by: Alexander <alexanderattar@gmail.com> * Add solhint config and fix prettier config (#83) * Feature/HOLO-604: implementing critical issue fixes (#84) * fixing critical issues * implemented suggestions * Featuer/HOLO-605: C4 medium risk fixes (#88) * init * fixes * enforcing msgSender on all source contract calls * fixing typo * fixing tests * test fixes and prettier * royatlies patch * removing unused library * Feature/adding generic contract type (#85) * fixing critical issues * adding generic contract type * implemented suggestions * merging latest from experimental branch * adding withdraw andmsgSender protection * adding withdraw andmsgSender protection * prettier * fixing typo * assembly memory fix * combined generic contract pr * deployments * deployments * adding support for `asciihex` compiler function * adding comments and fixing missed check * Feature/holo 613 rename pa1d to royalty (#90) * name change * Quick minor updates * Update reverts to use new ROYALTIES format * fix to test Co-authored-by: Vitto <admin@vitto.io> * royalties hotfix (#91) * royalties change * develop env deployments of royalties hotfix * Feature/holo 612 royalty smart contract improvements (#93) * First pass at royalty contract improvements * Second pass on royalty improvements from C4 audit * Remove broken check * Minor check and comments added * Remove check for greater than 10000 tokens for ERC20s in royalties * Add usage notes for payout functions * Add logic to allow setting a slot to use either transfer or call * Add handling for code-423n4/2022-10-holograph-findings#456 * Fix tests by passing proper init code * Add dev note on _callOptionalReturn * Limit payout addresses to 10 * Add test for max addresses * Improvement/holo 614 royalties smart contracts tests (#86) * royalties distribution * removed comments Co-authored-by: Alexander <alexanderattar@gmail.com> * cleanup * check send amount on ethPayouts Co-authored-by: Natalie Bravo <natalie.bravo@outlook.com> Co-authored-by: Vitto <admin@vitto.io> * Feature/HOLO-642: Implement Super Cold Storage logic into protocol (#92) * clean * implementing the super-cold-storage-signer * cleanup * Latest deployments 20221206 * Add external deployments back * Roll back to ff5b4ee due to incorrect deployment process on experimental env * Add latest deployments 20221206 Wed Dec 7 03:08:37 UTC 2022 Co-authored-by: Natalie Bravo <natalie.bravo@outlook.com> Co-authored-by: ACC01ADE <admin@vitto.io> * Add latest develop deployments Wed Dec 7 17:57:20 UTC 2022 * Add latest develop deployments Wed Dec 7 17:57:20 UTC 2022 Co-authored-by: Natalie Bravo <natalie.bravo@outlook.com> Co-authored-by: ACC01ADE <admin@vitto.io> * Add latest testnet deployments and abis (#97) * Add latest testnet deployments and abis * Update deployment salt history file for clarity * local changes * updates * fixes * clearer check for false * fixing nonce issue * multisig transfer * mainnet upgrade test * switching to networks npm package for multisig reference * cleanup on aisle 9 * fixed nonce bug for tests and adding recoverJob tests * nonce fix * test gas limit adjustment * adding details to bad gas for test Co-authored-by: Alexander <alexanderattar@users.noreply.github.com> Co-authored-by: Natalie Bravo <natalie.bravo@outlook.com> * Add code4rena audit report (#100) Co-authored-by: Natalie Bravo <natalie.bravo@outlook.com> Co-authored-by: ACC01ADE <admin@vitto.io>
alexanderattar
added a commit
to holographxyz/holograph-protocol
that referenced
this issue
Dec 15, 2022
* Merge experimental * Experimental to Develop 20221206 (#95) * Improvement/ HOLO 595 Enforce prettier / lint run on protocol (#81) * prettier and eslint setup to run action * fixed command on prettier action * fixed command on prettier action and package.json * fixed command on prettier action * Remove unknown prettier options * husky prepush check for linting and prettier * added husky prepare on package.json * fixed husky prepare on package.json * fixed husky pre-push Co-authored-by: Alexander <alexanderattar@gmail.com> * Add solhint config and fix prettier config (#83) * Feature/HOLO-604: implementing critical issue fixes (#84) * fixing critical issues * implemented suggestions * Featuer/HOLO-605: C4 medium risk fixes (#88) * init * fixes * enforcing msgSender on all source contract calls * fixing typo * fixing tests * test fixes and prettier * royatlies patch * removing unused library * Feature/adding generic contract type (#85) * fixing critical issues * adding generic contract type * implemented suggestions * merging latest from experimental branch * adding withdraw andmsgSender protection * adding withdraw andmsgSender protection * prettier * fixing typo * assembly memory fix * combined generic contract pr * deployments * deployments * adding support for `asciihex` compiler function * adding comments and fixing missed check * Feature/holo 613 rename pa1d to royalty (#90) * name change * Quick minor updates * Update reverts to use new ROYALTIES format * fix to test Co-authored-by: Vitto <admin@vitto.io> * royalties hotfix (#91) * royalties change * develop env deployments of royalties hotfix * Feature/holo 612 royalty smart contract improvements (#93) * First pass at royalty contract improvements * Second pass on royalty improvements from C4 audit * Remove broken check * Minor check and comments added * Remove check for greater than 10000 tokens for ERC20s in royalties * Add usage notes for payout functions * Add logic to allow setting a slot to use either transfer or call * Add handling for code-423n4/2022-10-holograph-findings#456 * Fix tests by passing proper init code * Add dev note on _callOptionalReturn * Limit payout addresses to 10 * Add test for max addresses * Improvement/holo 614 royalties smart contracts tests (#86) * royalties distribution * removed comments Co-authored-by: Alexander <alexanderattar@gmail.com> * cleanup * check send amount on ethPayouts Co-authored-by: Natalie Bravo <natalie.bravo@outlook.com> Co-authored-by: Vitto <admin@vitto.io> * Feature/HOLO-642: Implement Super Cold Storage logic into protocol (#92) * clean * implementing the super-cold-storage-signer * cleanup * Latest deployments 20221206 * Add external deployments back * Roll back to ff5b4ee due to incorrect deployment process on experimental env * Add latest deployments 20221206 Wed Dec 7 03:08:37 UTC 2022 Co-authored-by: Natalie Bravo <natalie.bravo@outlook.com> Co-authored-by: ACC01ADE <admin@vitto.io> * Add latest develop deployments Wed Dec 7 17:57:20 UTC 2022 * Merge testnet to develop 20221208 * Experimental to develop (#101) * Improvement/ HOLO 595 Enforce prettier / lint run on protocol (#81) * prettier and eslint setup to run action * fixed command on prettier action * fixed command on prettier action and package.json * fixed command on prettier action * Remove unknown prettier options * husky prepush check for linting and prettier * added husky prepare on package.json * fixed husky prepare on package.json * fixed husky pre-push Co-authored-by: Alexander <alexanderattar@gmail.com> * Add solhint config and fix prettier config (#83) * Feature/HOLO-604: implementing critical issue fixes (#84) * fixing critical issues * implemented suggestions * Featuer/HOLO-605: C4 medium risk fixes (#88) * init * fixes * enforcing msgSender on all source contract calls * fixing typo * fixing tests * test fixes and prettier * royatlies patch * removing unused library * Feature/adding generic contract type (#85) * fixing critical issues * adding generic contract type * implemented suggestions * merging latest from experimental branch * adding withdraw andmsgSender protection * adding withdraw andmsgSender protection * prettier * fixing typo * assembly memory fix * combined generic contract pr * deployments * deployments * adding support for `asciihex` compiler function * adding comments and fixing missed check * Feature/holo 613 rename pa1d to royalty (#90) * name change * Quick minor updates * Update reverts to use new ROYALTIES format * fix to test Co-authored-by: Vitto <admin@vitto.io> * royalties hotfix (#91) * royalties change * develop env deployments of royalties hotfix * Feature/holo 612 royalty smart contract improvements (#93) * First pass at royalty contract improvements * Second pass on royalty improvements from C4 audit * Remove broken check * Minor check and comments added * Remove check for greater than 10000 tokens for ERC20s in royalties * Add usage notes for payout functions * Add logic to allow setting a slot to use either transfer or call * Add handling for code-423n4/2022-10-holograph-findings#456 * Fix tests by passing proper init code * Add dev note on _callOptionalReturn * Limit payout addresses to 10 * Add test for max addresses * Improvement/holo 614 royalties smart contracts tests (#86) * royalties distribution * removed comments Co-authored-by: Alexander <alexanderattar@gmail.com> * cleanup * check send amount on ethPayouts Co-authored-by: Natalie Bravo <natalie.bravo@outlook.com> Co-authored-by: Vitto <admin@vitto.io> * Feature/HOLO-642: Implement Super Cold Storage logic into protocol (#92) * clean * implementing the super-cold-storage-signer * cleanup * Latest deployments 20221206 * Add external deployments back * Roll back to ff5b4ee due to incorrect deployment process on experimental env * Add latest deployments 20221206 Wed Dec 7 03:08:37 UTC 2022 * Merge develop * HOLO-678: Deployment patches (#98) * Release/develop to testnet 20221207 (#96) * Merge experimental * Experimental to Develop 20221206 (#95) * Improvement/ HOLO 595 Enforce prettier / lint run on protocol (#81) * prettier and eslint setup to run action * fixed command on prettier action * fixed command on prettier action and package.json * fixed command on prettier action * Remove unknown prettier options * husky prepush check for linting and prettier * added husky prepare on package.json * fixed husky prepare on package.json * fixed husky pre-push Co-authored-by: Alexander <alexanderattar@gmail.com> * Add solhint config and fix prettier config (#83) * Feature/HOLO-604: implementing critical issue fixes (#84) * fixing critical issues * implemented suggestions * Featuer/HOLO-605: C4 medium risk fixes (#88) * init * fixes * enforcing msgSender on all source contract calls * fixing typo * fixing tests * test fixes and prettier * royatlies patch * removing unused library * Feature/adding generic contract type (#85) * fixing critical issues * adding generic contract type * implemented suggestions * merging latest from experimental branch * adding withdraw andmsgSender protection * adding withdraw andmsgSender protection * prettier * fixing typo * assembly memory fix * combined generic contract pr * deployments * deployments * adding support for `asciihex` compiler function * adding comments and fixing missed check * Feature/holo 613 rename pa1d to royalty (#90) * name change * Quick minor updates * Update reverts to use new ROYALTIES format * fix to test Co-authored-by: Vitto <admin@vitto.io> * royalties hotfix (#91) * royalties change * develop env deployments of royalties hotfix * Feature/holo 612 royalty smart contract improvements (#93) * First pass at royalty contract improvements * Second pass on royalty improvements from C4 audit * Remove broken check * Minor check and comments added * Remove check for greater than 10000 tokens for ERC20s in royalties * Add usage notes for payout functions * Add logic to allow setting a slot to use either transfer or call * Add handling for code-423n4/2022-10-holograph-findings#456 * Fix tests by passing proper init code * Add dev note on _callOptionalReturn * Limit payout addresses to 10 * Add test for max addresses * Improvement/holo 614 royalties smart contracts tests (#86) * royalties distribution * removed comments Co-authored-by: Alexander <alexanderattar@gmail.com> * cleanup * check send amount on ethPayouts Co-authored-by: Natalie Bravo <natalie.bravo@outlook.com> Co-authored-by: Vitto <admin@vitto.io> * Feature/HOLO-642: Implement Super Cold Storage logic into protocol (#92) * clean * implementing the super-cold-storage-signer * cleanup * Latest deployments 20221206 * Add external deployments back * Roll back to ff5b4ee due to incorrect deployment process on experimental env * Add latest deployments 20221206 Wed Dec 7 03:08:37 UTC 2022 Co-authored-by: Natalie Bravo <natalie.bravo@outlook.com> Co-authored-by: ACC01ADE <admin@vitto.io> * Add latest develop deployments Wed Dec 7 17:57:20 UTC 2022 * Add latest develop deployments Wed Dec 7 17:57:20 UTC 2022 Co-authored-by: Natalie Bravo <natalie.bravo@outlook.com> Co-authored-by: ACC01ADE <admin@vitto.io> * Add latest testnet deployments and abis (#97) * Add latest testnet deployments and abis * Update deployment salt history file for clarity * local changes * updates * fixes * clearer check for false * fixing nonce issue * multisig transfer * mainnet upgrade test * switching to networks npm package for multisig reference * cleanup on aisle 9 * fixed nonce bug for tests and adding recoverJob tests * nonce fix * test gas limit adjustment * adding details to bad gas for test Co-authored-by: Alexander <alexanderattar@users.noreply.github.com> Co-authored-by: Natalie Bravo <natalie.bravo@outlook.com> * Add code4rena audit report (#100) Co-authored-by: Natalie Bravo <natalie.bravo@outlook.com> Co-authored-by: ACC01ADE <admin@vitto.io> Co-authored-by: Natalie Bravo <natalie.bravo@outlook.com> Co-authored-by: ACC01ADE <admin@vitto.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/src/enforcer/PA1D.sol#L317
https://github.com/code-423n4/2022-10-holograph/blob/f8c2eae866280a1acfdc8a8352401ed031be1373/src/enforcer/PA1D.sol#L340
Vulnerability details
Impact
Payout is blocked and tokens are stuck in contract.
Proof of Concept
PA1D._payoutToken()andPA1D._payoutTokens()callERC20.transfer()in a require-statement to send tokens to a list of payout recipients.Some tokens do not return a bool (e.g. USDT, BNB, OMG) on ERC20 methods. But since the require-statement expects a
bool, for such a token avoidreturn will also cause a revert, despite an otherwise successful transfer. That is, the token payout will always revert for such tokens.Tools Used
Code inspection
Recommended Mitigation Steps
Use OpenZeppelin's SafeERC20, which handles the return value check as well as non-standard-compliant tokens.
The text was updated successfully, but these errors were encountered: