Platform: Code4rena
Start Date: 08/11/2022
Pot Size: $60,500 USDC
Total HM: 6
Participants: 72
Period: 5 days
Judge: Picodes
Total Solo HM: 2
Id: 178
League: ETH
Rank: 72/72
Findings: 1
Award: $36.34
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: RaymondFam
Also found by: 0x1f8b, 0x52, 0xSmartContract, 0xc0ffEE, 0xhacksmithh, 8olidity, Awesome, BClabs, Bnke0x0, Chom, Deivitto, Hashlock, IllIllI, Josiah, KingNFT, Nyx, R2, ReyAdmirado, Rolezn, SamGMK, Sathish9098, SinceJuly, V_B, Vadis, Waze, a12jmx, adriro, ajtra, aphak5010, bearonbike, bin, brgltd, carlitox477, carrotsmuggler, cccz, ch0bu, chaduke, datapunk, delfin454000, erictee, fatherOfBlocks, fs0c, horsefacts, jayphbee, ktg, ladboy233, pashov, perseverancesuccess, rbserver, ret2basic, tnevler, zaskoh
36.3434 USDC - $36.34
| Issue | Instances | |
|---|---|---|
| [Low-1] | Multiple Pragma(Solidity version) used | 16 |
| [Low-2] | Absence of Zero address check, while setting critical and immutable state variable | 5 |
| [Low-3] | Consider Adding checks for Signature Malleability | 1 |
| [Low-4] | There always 1 token(That can be ETH or Any ERC20) remain stucked inside contract due to code logic of "rescueETH()","rescueERC20()" functions | 2 |
| [Low-5] | Token (ETH and ERC20) may be lost | 2 |
| Issue | Instances | |
|---|---|---|
| [NC-01] | Same Import Statement written multiple times | 4 |
| [NC-02] | Contract don't have any checks for return data value from low level call "call()" | 3 |
Below all contracts use Solidity version 0.8.17
File: contracts/ERC20EnabledLooksRareAggregator.sol File: contracts/LooksRareAggregator.sol File: contracts/TokenReceiver.sol File: contracts/TokenRescuer.sol File: contracts/TokenTransferrer.sol File: contracts/proxies/LooksRareProxy.sol File: contracts/proxies/SeaportProxy.sol File: contracts/libraries/seaport/ConsiderationStructs.sol File: contracts/libraries/seaport/ConsiderationEnums.sol File: contracts/libraries/OrderEnums.sol File: contracts/libraries/OrderStructs.sol File: contracts/interfaces/IERC20EnabledLooksRareAggregator.sol File: contracts/interfaces/IGemSwap.sol File: contracts/interfaces/ILooksRareAggregator.sol File: contracts/interfaces/IProxy.sol File: contracts/interfaces/SeaportInterface.sol
These contracts use Solidity version ^0.8.14;
File: contracts/OwnableTwoSteps.sol File: contracts/ReentrancyGuard.sol File: contracts/SignatureChecker.sol File: contracts/lowLevelCallers/LowLevelERC1155Transfer.sol File: contracts/lowLevelCallers/LowLevelERC20Approve.sol File: contracts/lowLevelCallers/LowLevelERC20Transfer.sol File: contracts/lowLevelCallers/LowLevelERC721Transfer.sol File: contracts/lowLevelCallers/LowLevelETH.sol File: contracts/interfaces/IOwnableTwoSteps.sol
These contracts using ^0.8.0;
File: contracts/interfaces/IERC20.sol File: contracts/interfaces/IERC1155.sol File: contracts/interfaces/IERC721.sol File: contracts/interfaces/IERC1271.sol File: contracts/interfaces/IReentrancyGuard.sol File: contracts/interfaces/ISignatureChecker.sol
Its using >=0.5.0
File: contracts/interfaces/IWETH.sol
Instances (5):
File: contracts/ERC20EnabledLooksRareAggregator.sol 22: aggregator = ILooksRareAggregator(_aggregator);
File: contracts/proxies/LooksRareProxy.sol 38: marketplace = ILooksRareExchange(_marketplace); 39: aggregator = _aggregator;
File: contracts/proxies/SeaportProxy.sol 46: marketplace = SeaportInterface(_marketplace); 47: aggregator = _aggregator;
Use OpenZeppelin’s ECDSA contract rather than calling ecrecover() directly
Instances (1):
File: contracts/SignatureChecker.sol 60: signer = ecrecover(hash, v, r, s);
Instances (1):
File: contracts/TokenRescuer.sol In function rescueETH() 23: uint256 withdrawAmount = address(this).balance - 1; In function rescueERC20() 35: uint256 withdrawAmount = IERC20(currency).balanceOf(address(this)) - 1;
There is absence of zero address check for receiver address i.e "to" parameter in functions "rescueETH()"&"rescueERC20()".
Instances (1):
File: contracts/TokenRescuer.sol In function rescueETH() 22-25: function rescueETH(address to) external onlyOwner { In function rescueERC20() 34-38: function rescueERC20(address currency, address to) external onlyOwner {
Instances (4):
File: contracts/LooksRareAggregator.sol 14: import {BasicOrder, FeeData, TokenTransfer} from "./libraries/OrderStructs.sol"; 15: import {LooksRareProxy} from "./proxies/LooksRareProxy.sol"; 16: import {TokenReceiver} from "./TokenReceiver.sol"; 17: import {TokenRescuer} from "./TokenRescuer.sol";
Instances (3):
File: contracts/lowLevelCallers/LowLevelERC721Transfer.sol 27: (bool status, ) = collection.call(abi.encodeWithSelector(IERC721.transferFrom.selector, from, to, tokenId));
File: contracts/lowLevelCallers/LowLevelERC1155Transfer.sol 30-32: (bool status, ) = collection.call( abi.encodeWithSelector(IERC1155.safeTransferFrom.selector, from, to, tokenId, amount, "") ); 52-54: (bool status, ) = collection.call( abi.encodeWithSelector(IERC1155.safeBatchTransferFrom.selector, from, to, tokenIds, amounts, "") );
#0 - c4-judge
2022-11-21T19:20:20Z
Picodes marked the issue as grade-b
#1 - 0xhiroshi
2022-11-24T23:09:20Z
all addressed in other issues.
#2 - c4-sponsor
2022-11-24T23:09:25Z
0xhiroshi requested judge review