Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: high

Invalid

scripts/test/geth-dev-fund.ts

kp8877

The code you've shared is a script that interacts with an Ethereum blockchain using the Hardhat framework and the ethers.js library. It appears to send 50 ETH to accounts that have a zero balance. While the code seems functional for its intended purpose, there are several potential vulnerabilities and areas for improvement:

1. Environment Variable Handling

Vulnerability: If process.env.GETH_URL is not properly validated, it may lead to injection attacks or errors if the URL is not well-formed.
Recommendation: Ensure the environment variable is set and validate its format before using it.

2. Gas Price and Limits

Vulnerability: The script does not set a gas price or limit for the transaction, which can lead to failures if the network is congested or if the gas price is high.
Recommendation: Specify a gas limit and/or gas price in the transaction object. You can also fetch the current gas price using customHttpProvider.getGasPrice().

3. Error Handling for Transaction Send

Vulnerability: If the transaction fails (e.g., due to insufficient gas or network issues), the script does not handle this error gracefully, which could cause the script to exit unexpectedly.
Recommendation: Wrap the transaction sending logic in a try-catch block to catch and handle errors appropriately.

4. Coinbase and Signer Confusion

Vulnerability: The use of coinbase and coinbaseSigner may lead to confusion, especially if it's not clear whether this is intended to be the main account for sending funds. Additionally, getUncheckedSigner can potentially expose private keys.
Recommendation: Clarify the role of the coinbase account and consider using a more explicit naming convention to avoid confusion.

5. Account Balance Checking Logic

Vulnerability: The script assumes that the accounts array has valid and active Ethereum accounts. If an account does not exist or is not valid, this may lead to errors.
Recommendation: Validate each account before trying to get its balance. You can check if the address is a valid Ethereum address.

6. Sending Funds Without Confirmation

Vulnerability: The script blindly sends 50 ETH to any account with a zero balance, which could lead to loss of funds if used incorrectly.
Recommendation: Implement a confirmation prompt before sending funds, especially if this code is run in a production environment.

7. Security Risks of Hardcoded Amounts

Vulnerability: The amount being sent (50 ETH) is hardcoded, which could be risky if this script is run in an environment with fluctuating ETH prices.
Recommendation: Consider passing the amount as a parameter or retrieving it from a secure source to avoid accidental large transactions.

8. Rate Limiting and Resource Exhaustion

Vulnerability: If there are many accounts with zero balance, the script could exhaust resources (like gas) or hit rate limits on the RPC provider.
Recommendation: Implement rate limiting or batching of transactions to prevent hitting the provider's limits.

Improved Code Snippet Example

Here’s an example of how you might implement some of these recommendations:

import { ethers } from 'hardhat';

import { getAccounts } from '../utils/helpers';

async function main() {

const { accounts } = await getAccounts();

if (!process.env.GETH_URL) {

console.error('GETH_URL environment variable is not set.');

process.exit(1);

}

let customHttpProvider = new ethers.providers.JsonRpcProvider(process.env.GETH_URL);

let coinbase = await customHttpProvider.send('eth_coinbase', []);

let coinbaseSigner = await customHttpProvider.getUncheckedSigner(coinbase);

for (let i = 0; i < accounts.length; i++) {

let signer = await ethers.provider.getSigner(i);

let balance = await signer.getBalance();

if (balance.gt(0)) {

console.log(`Account ${await signer.getAddress()} already has a balance, skipping.`);

continue;

}

console.log('Sending 50 ETH to', await signer.getAddress());

let txObj = {

to: signer.getAddress(),

value: ethers.utils.parseEther('50'),

gasLimit: 21000, // Set an appropriate gas limit

gasPrice: await customHttpProvider.getGasPrice() // Use current gas price

};

try {

let tx = await coinbaseSigner.sendTransaction(txObj);

await tx.wait();

console.log(`Transaction successful: ${tx.hash}`);

} catch (error) {

console.error(`Failed to send transaction to ${await signer.getAddress()}:`, error);

}

main()

.then(() => process.exit(0))

.catch((error) => {

console.error(error);

process.exit(1);

});

Summary

Addressing these vulnerabilities and implementing the recommendations will make the code more robust and secure. Always test thoroughly in a controlled environment before deploying any scripts that handle cryptocurrency transactions.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Lack of quality

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.