Back to CertoraInc's contests

AbraNFT contest - CertoraInc's results

A peer to peer lending platform, using NFTs as collateral.

General Information

Platform: Code4rena

Start Date: 27/04/2022

Pot Size: $50,000 MIM

Total HM: 6

Participants: 59

Period: 5 days

Judge: 0xean

Id: 113

League: ETH

Abracadabra Money

Findings Distribution

Researcher Performance

Rank: 30/59

Findings: 2

Award: $127.73

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAbracadabra Money

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1337, 0x1f8b, 0xDjango, 0xf15ers, AuditsAreUS, BowTiedWardens, CertoraInc, Funen, GimelSec, MaratCerby, Ruhum, WatchPug, antonttc, berndartmueller, bobi, bobirichman, broccolirob, catchup, cccz, defsec, delfin454000, gs8nrv, gzeon, horsefacts, hubble, hyh, ilan, jah, joestakey, kebabsec, kenta, kenzo, m9800, mics, oyc_109, pauliax, reassor, robee, samruna, sikorico, simon135, throttle, unforgiven, z3s

Awards

83.1217 MIM - $83.12

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

Low and Non-critical bugs

  • The value of uint256(loan.startTime) + tokenLoanParams[tokenId].duration is supposed to be the last time that the borrower can repay the loan, so it needs to be < instead of <= in the removeCollateral function and >= instead of > in the repay function 
    require(
    // Addition is safe: both summands are smaller than 256 bits
    uint256(loan.startTime) + tokenLoanParams[tokenId].duration <= block.timestamp,
    "NFTPair: not expired"
);

require(
    // Addition is safe: both summands are smaller than 256 bits
    uint256(loan.startTime) + loanParams.duration > block.timestamp,
    "NFTPair: loan expired"
);
  • typo in the comment before the constructor - write initialized instead of initialised
  • typo in the comment before the requestLoan, lend, requestAndBorrow and takeCollateralAndLend functions - write transferred instead of transfered
  • typo in the comment before the calculateInterest function - write inequality instead of inquality

#0 - cryptolyndon

2022-05-12T05:05:34Z

Can't argue with the duration business; that does go against what it says.

Why do so many of these typo reports include non-American, but legitimate, spelling? (Yes I know "transfered" is still wrong, and the other is an actual, well, typo)

Findings Information

🌟 Selected for report: BowTiedWardens

Also found by: 0x1f8b, 0xNazgul, 0xf15ers, 0xkatana, CertoraInc, Funen, GimelSec, Hawkeye, IllIllI, Kulk0, NoamYakov, Tadashi, Tomio, TrungOre, antonttc, catchup, defsec, delfin454000, fatherOfBlocks, gzeon, horsefacts, joestakey, kenta, oyc_109, pauliax, reassor, robee, samruna, simon135, slywaters, sorrynotsorry, z3s

Awards

44.6123 MIM - $44.61

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

Gas Optimizations

  • Redundant initialization of uint8 private constant LOAN_INITIAL = 0; in NFTPair - variables in solidity are automatically initialized to zero (and this actually costs more gas than initializing to zero)
  • Delete the loan params in addition to the loan data after the loan is finished
  • Can use inline assembly switch statement in the cook function instead of multiple if else statements

#0 - cryptolyndon

2022-05-14T01:10:56Z

Seen, thanks. Only one to mention the switch

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter