Back to 0x4non's contests

ParaSpace contest - 0x4non's results

The First Ever Cross-Margin NFT Financialization Protocol.

General Information

Platform: Code4rena

Start Date: 28/11/2022

Pot Size: $192,500 USDC

Total HM: 33

Participants: 106

Period: 11 days

Judge: LSDan

Total Solo HM: 15

Id: 186

League: ETH

ParaSpace

Findings Distribution

Researcher Performance

Rank: 67/106

Findings: 1

Award: $103.92

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryParaSpace

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x4non, 0x52, 0xAgro, 0xNazgul, 0xSmartContract, 0xackermann, 9svR6w, Awesome, Aymen0909, B2, BRONZEDISC, Bnke0x0, Deekshith99, Deivitto, Diana, Dravee, HE1M, Jeiwan, Kaiziron, KingNFT, Lambda, Mukund, PaludoX0, RaymondFam, Rolezn, Sathish9098, Secureverse, SmartSek, __141345__, ahmedov, ayeslick, brgltd, cccz, ch0bu, chrisdior4, cryptonue, cryptostellar5, csanuragjain, datapunk, delfin454000, erictee, gz627, gzeon, helios, i_got_hacked, ignacio, imare, jadezti, jayphbee, joestakey, kankodu, ksk2345, ladboy233, martin, nadin, nicobevi, oyc_109, pashov, pavankv, pedr02b2, pzeus, rbserver, ronnyx2017, rvierdiiev, shark, unforgiven, xiaoming90, yjrwkk

Awards

103.9175 USDC - $103.92

Labels

bug
grade-b
QA (Quality Assurance)
Q-43

External Links

Link to GitHub issue

Low, QA, NC

Low

L-00 executeBatchBuyWithCredit does not follow the CHECK-EFFECT-ITERATION pattern

Add a non reentrant modifier to avoid unexpected behaviour

L-01 _checkValidity should return true if priceDeviation is maxPriceDeviation

On NFTFloorOracle.sol#L370; Instead of if (priceDeviation >= config.maxPriceDeviation) { should be if (priceDeviation > config.maxPriceDeviation) otherwise if the priceDeviation is the maxPriceDeviation the function setPrice will fail.

L-02 WETH address shouldnt be pass as an argument to avoid unwanted errors

On LooksRareAdapter.sol#L25 the function getAskOrderInfo is receiving WETH address as a parameter and WETH should be setted as an immutable on the constructor. Doing this the complexity will be lower and you will save gas.

L-03 WETH should be a constant or an immtuable and owner shoulndt change it

On PoolAddressesProvider.sol#L235-L239 you can change the WETH address, but WETH contract address should always be the same, you should remove this function and set WETH on the constructor or as a constant.

L-04 Variable owner is shadowed

Just change owner to _owner to avoid a shadowed variable.

diff --git a/paraspace-core/contracts/protocol/configuration/PoolAddressesProvider.sol b/paraspace-core/contracts/protocol/configuration/PoolAddressesProvider.sol
index 5f1e3c8..8381a65 100644
--- a/paraspace-core/contracts/protocol/configuration/PoolAddressesProvider.sol
+++ b/paraspace-core/contracts/protocol/configuration/PoolAddressesProvider.sol
@@ -42,9 +42,9 @@ contract PoolAddressesProvider is Ownable, IPoolAddressesProvider {
      * @param marketId The identifier of the market.
      * @param owner The owner address of this contract.
      */
-    constructor(string memory marketId, address owner) {
+    constructor(string memory marketId, address _owner) {
         _setMarketId(marketId);
-        transferOwnership(owner);
+        transferOwnership(_owner);
     }
 
     /// @inheritdoc IPoolAddressesProvider

L-05 Missing address(0) checks

Q-01 Unsolved TODOs

On LooksRareAdapter.sol#L59 you have an unsolved TODO that says; // TODO: take minPercentageToAsk into account

On MarketplaceLogic.sol#L442 you have an unsolved TODO that says; // TODO: support PToken

On INToken.sol#L97 you have an unsolved TODO that says; // TODO are we using the Treasury at all? Can we remove?

On UiIncentiveDataProvider.sol#L68 you have an unsolved TODO that says; // TODO: check that this is deployed correctly on contract and remove casting

On UniswapV3OracleWrapper.sol#L238 you have an unsolved TODO that says; // TODO using bit shifting for the 2^96

Consider resolving this before going into production

Q-02 Unused imports;

These imports arent used by the contract;

contracts/misc/marketplaces/SeaportAdapter.sol:6:import {OrderTypes} from "../../dependencies/looksrare/contracts/libraries/OrderTypes.sol"; // @audit unused
contracts/misc/marketplaces/SeaportAdapter.sol:8:import {ILooksRareExchange} from "../../dependencies/looksrare/contracts/interfaces/ILooksRareExchange.sol"; // @audit unused
contracts/misc/marketplaces/SeaportAdapter.sol:9:import {SignatureChecker} from "../../dependencies/looksrare/contracts/libraries/SignatureChecker.sol"; // @audit unused
contracts/misc/marketplaces/SeaportAdapter.sol:10:import {ConsiderationItem} from "../../dependencies/seaport/contracts/lib/ConsiderationStructs.sol"; // @audit unused
contracts/misc/marketplaces/SeaportAdapter.sol:11:import {AdvancedOrder, CriteriaResolver, Fulfillment, OfferItem, ItemType} from "../../dependencies/seaport/contracts/lib/ConsiderationStructs.sol"; // @audit unused OfferItem, ItemType
contracts/misc/marketplaces/SeaportAdapter.sol:13:import {IERC1271} from "../../dependencies/openzeppelin/contracts/IERC1271.sol"; // @audit unused
contracts/misc/marketplaces/SeaportAdapter.sol:15:import {PoolStorage} from "../../protocol/pool/PoolStorage.sol"; // @audit unused
contracts/misc/marketplaces/X2Y2Adapter.sol:6:import {OrderTypes} from "../../dependencies/looksrare/contracts/libraries/OrderTypes.sol"; // @audit unused import
contracts/misc/marketplaces/X2Y2Adapter.sol:7:import {SeaportInterface} from "../../dependencies/seaport/contracts/interfaces/SeaportInterface.sol"; // @audit unused import
contracts/misc/marketplaces/X2Y2Adapter.sol:8:import {ILooksRareExchange} from "../../dependencies/looksrare/contracts/interfaces/ILooksRareExchange.sol"; // @audit unused import
contracts/misc/marketplaces/X2Y2Adapter.sol:10:import {SignatureChecker} from "../../dependencies/looksrare/contracts/libraries/SignatureChecker.sol"; // @audit unused import
contracts/misc/marketplaces/X2Y2Adapter.sol:12:import {AdvancedOrder, CriteriaResolver, Fulfillment, OfferItem, ItemType} from "../../dependencies/seaport/contracts/lib/ConsiderationStructs.sol"; // @audit unused AdvancedOrder, CriteriaResolver, Fulfillment
contracts/misc/marketplaces/X2Y2Adapter.sol:14:import {IERC1271} from "../../dependencies/openzeppelin/contracts/IERC1271.sol"; // @audit unused import
contracts/misc/marketplaces/X2Y2Adapter.sol:16:import {PoolStorage} from "../../protocol/pool/PoolStorage.sol";// @audit unused import
contracts/misc/marketplaces/LooksRareAdapter.sol:7:import {SeaportInterface} from "../../dependencies/seaport/contracts/interfaces/SeaportInterface.sol"; //@audit unused
contracts/misc/marketplaces/LooksRareAdapter.sol:9:import {SignatureChecker} from "../../dependencies/looksrare/contracts/libraries/SignatureChecker.sol"; // @audit unused
contracts/misc/marketplaces/LooksRareAdapter.sol:11:import {AdvancedOrder, CriteriaResolver, Fulfillment, OfferItem, ItemType} from "../../dependencies/seaport/contracts/lib/ConsiderationStructs.sol"; // @audit unused AdvancedOrder, CriteriaResolver, Fulfillment
contracts/misc/marketplaces/LooksRareAdapter.sol:13:import {IERC1271} from "../../dependencies/openzeppelin/contracts/IERC1271.sol"; // @audit unused import
contracts/misc/marketplaces/LooksRareAdapter.sol:15:import {PoolStorage} from "../../protocol/pool/PoolStorage.sol"; // @audit unused import
contracts/protocol/libraries/logic/FlashClaimLogic.sol:11:import {XTokenType, IXTokenType} from "../../../interfaces/IXTokenType.sol";//@audit unused import
contracts/protocol/libraries/logic/BorrowLogic.sol:5:import {SafeCast} from "../../../dependencies/openzeppelin/contracts/SafeCast.sol";// @audit unused import
contracts/protocol/libraries/logic/BorrowLogic.sol:10:import {ReserveConfiguration} from "../configuration/ReserveConfiguration.sol"; // @audit unused import
contracts/protocol/libraries/logic/AuctionLogic.sol:8:import {IReserveAuctionStrategy} from "../../../interfaces/IReserveAuctionStrategy.sol"; // @audit unused import
contracts/protocol/pool/PoolCore.sol:7:import {PoolLogic} from "../libraries/logic/PoolLogic.sol"; // @audit Q unused import
contracts/protocol/pool/PoolCore.sol:10:import {MarketplaceLogic} from "../libraries/logic/MarketplaceLogic.sol";// @audit Q unused import
contracts/protocol/pool/PoolCore.sol:19:import {IACLManager} from "../../interfaces/IACLManager.sol"; // @audit Q unused import
contracts/protocol/pool/PoolCore.sol:23:import {IERC721Receiver} from "../../dependencies/openzeppelin/contracts/IERC721Receiver.sol";// @audit Q unused import
contracts/protocol/pool/PoolCore.sol:24:import {IMarketplace} from "../../interfaces/IMarketplace.sol";// @audit Q unused import
contracts/protocol/pool/PoolCore.sol:29:import {IWETH} from "../../misc/interfaces/IWETH.sol"; // @audit Q unused import

Q-03 Import the same file twice

On contracts/protocol/pool/PoolCore.sol:25 Yoa re importing libraries/helpers/Errors.sol twice; import {Errors} from "../libraries/helpers/Errors.sol"; <- this is repeated

Q-04 Use the pattern import {contract} from "file.sol";

On contracts/protocol/libraries/logic/FlashClaimLogic.sol:10 you are using a plain import instead of a named import; import "../../../interfaces/INTokenApeStaking.sol";

#0 - c4-judge

2023-01-25T16:26:05Z

dmvt marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter