Platform: Code4rena
Start Date: 08/11/2022
Pot Size: $60,500 USDC
Total HM: 6
Participants: 72
Period: 5 days
Judge: Picodes
Total Solo HM: 2
Id: 178
League: ETH
Rank: 16/72
Findings: 1
Award: $330.18
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: RaymondFam
Also found by: 0x1f8b, 0x52, 0xSmartContract, 0xc0ffEE, 0xhacksmithh, 8olidity, Awesome, BClabs, Bnke0x0, Chom, Deivitto, Hashlock, IllIllI, Josiah, KingNFT, Nyx, R2, ReyAdmirado, Rolezn, SamGMK, Sathish9098, SinceJuly, V_B, Vadis, Waze, a12jmx, adriro, ajtra, aphak5010, bearonbike, bin, brgltd, carlitox477, carrotsmuggler, cccz, ch0bu, chaduke, datapunk, delfin454000, erictee, fatherOfBlocks, fs0c, horsefacts, jayphbee, ktg, ladboy233, pashov, perseverancesuccess, rbserver, ret2basic, tnevler, zaskoh
330.1837 USDC - $330.18
Non critical: In OwnableTwoSteps it says delay must be set by inheriting contract: https://github.com/code-423n4/2022-11-looksrare/blob/e3b2c053f722b0ca2dce3a3eb06f64859b8b7a6f/contracts/OwnableTwoSteps.sol#L40 But none of the contracts actually set it.
QA: The owner should be careful when setting functions since a marketplace contract can be upgradeable, which could cause functions to change and DOS until removeFunction is called. So maybe just a heads-up for the owner to disallow upgradable proxies. https://github.com/code-423n4/2022-11-looksrare/blob/e3b2c053f722b0ca2dce3a3eb06f64859b8b7a6f/contracts/LooksRareAggregator.sol#L132-L135
QA: When trying to refer to the native token using an address its better to use the 0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE address instead of address(0).
QA: Require input addresses to not be equal 0. https://github.com/code-423n4/2022-11-looksrare/blob/e3b2c053f722b0ca2dce3a3eb06f64859b8b7a6f/contracts/proxies/LooksRareProxy.sol#L37-L40
QA: If owner decides to renounce ownership using confirmOwnershipRenouncement, then ERC721 and ERC1155 tokens that are trapped in the contract can never be rescued.
QA: Abstract contracts are contracts that don't have some functions implemented. In some cases such as SignatureChecker it would be better to declare the contract a library.
QA: Interfaces should be declared as such not as contracts https://github.com/code-423n4/2022-11-looksrare/blob/e3b2c053f722b0ca2dce3a3eb06f64859b8b7a6f/contracts/interfaces/IOwnableTwoSteps.sol#L7
#0 - c4-judge
2022-11-21T19:44:30Z
Picodes marked the issue as grade-a
#1 - 0xhiroshi
2022-11-23T15:08:14Z
OwnableTwoSteps - Valid confirmOwnershipRenouncement - Technically true but not our concern abstract contract/library - we will investigate interface - Valid 0 address check - Invalid 0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE -> @0xJurassicPunk what do you think?
#2 - c4-sponsor
2022-11-23T15:08:28Z
0xhiroshi requested judge review
#3 - 0xhiroshi
2022-12-12T23:39:27Z
Update: We will reject the 0xEeeeeEeeeEeEeeEeEeEeeEEEeeeeEeeeeeeeEEeE finding
#4 - 0xhiroshi
2022-12-12T23:41:36Z
Update: we will accept the abstract contract/library finding
#5 - 0xhiroshi
2022-12-12T23:41:50Z
@Picodes FYI