Platform: Code4rena
Start Date: 20/09/2022
Pot Size: $100,000 USDC
Total HM: 4
Participants: 109
Period: 7 days
Judge: GalloDaSballo
Id: 163
League: ETH
Rank: 97/109
Findings: 1
Award: $55.20
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x4non, 0x52, 0x5rings, 0xNazgul, 0xRobocop, 0xSmartContract, 0xdeadbeef, 0xsanson, 8olidity, Amithuddar, Aymen0909, B2, B353N, CertoraInc, Ch_301, Chom, CodingNameKiki, Deivitto, ElKu, Funen, JC, JohnnyTime, Kresh, Lambda, Noah3o6, RaymondFam, ReyAdmirado, RockingMiles, Rolezn, Sm4rty, SuldaanBeegsi, Tadashi, TomJ, Tomio, V_B, Waze, __141345__, a12jmx, ak1, arcoun, asutorufos, aviggiano, berndartmueller, bharg4v, bin2chen, brgltd, bulej93, c3phas, catchup, cccz, ch0bu, cryptonue, cryptphi, csanuragjain, delfin454000, devtooligan, djxploit, durianSausage, eighty, erictee, exd0tpy, fatherOfBlocks, giovannidisiena, hansfriese, ignacio, joestakey, ladboy233, lukris02, m9800, malinariy, martin, minhtrng, obront, oyc_109, pedr02b2, pedroais, pfapostol, philogy, prasantgupta52, rbserver, ronnyx2017, rotcivegaf, rvierdiiev, sach1r0, shung, simon135, throttle, tnevler, tonisives, wagmi, yixxas, zkhorse, zzykxx, zzzitron
55.1985 USDC - $55.20
Findings: Immutable addresses lack zero-address check
Code: - https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/ArtGobblers.sol#L314-L317 â—‹ Address: goo, pages, team, community
- https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/Goo.sol#L83 (on address artGobblers) - https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/Goo.sol#L84 (on address pages) - https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/Pages.sol#L179 (on address goo) - https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/Pages.sol#L181 (on address community) - https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/utils/GobblerReserve.sol#L23-L25 â—‹ Address: artGobblers
Explanation: Constructors should check the address written in an immutable address variable is not the zero address
Mitigation: - Add a zero address check to above addresses
Findings: Public functions can be external
Code: - https://github.com/transmissions11/goo-issuance/blob/648e65e66e43ff5c19681427e300ece9c0df1437/src/LibGOO.sol#L21 - https://github.com/transmissions11/VRGDAs/blob/f4dec0611641e344339b2c78e5f733bba3b532e0/src/VRGDA.sol#L43
Explanation: It is good practice to mark functions as external instead of public if they are not called by the contract where they are defined.
Mitigation: Declare these functions as external instead of public
Findings: Floating Pragma
Code: - https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/ArtGobblers.sol#L2 (all contracts)
Explanation: Instead of >=0.8.0. It is recommended to lock the pragma version to the same version as used in the other contracts and also consider known bugs ( https://github.com/ethereum/solidity/releases) for the compiler version that is chosen.
Mitigation: pragma solidity 0.8.17
_safemint() should be used rather than _mint() wherever possibleThere are 6 instances of this issue.
File: src/ArtGobblers.sol - line 356
File: src/ArtGobblers.sol - line 389
File: src/ArtGobblers.sol - line 469
File: src/Goo.sol - line 102
File: src/Pages.sol - line 211
File: src/Pages.sol - line 251
_mint() is discouraged in favor of _safeMint() which ensures that the recipient is either an EOA or implements IERC721Receiver.
Withdrawerc721: using the transferFrom() function of an erc721 contract may freeze the user's nftThere are 2 instances of this issue.
File: src/ArtGobblers.sol - line 749
File: src/ArtGobblers.sol - line 881
When using the transferFrom function of an ERC721 contract to send an NFT, if the receiving address is a smart contract and does not support ERC721, the NFT can be frozen in the contract. Use the ERC721 contract's safeTransferFrom function to send NFTs.
#0 - GalloDaSballo
2022-10-04T21:36:59Z
L
NC
L
L
#1 - GalloDaSballo
2022-10-13T22:42:18Z
3L 1NC