Back to Chandr's contests

Nibbl contest - Chandr's results

NFT fractionalization protocol with guaranteed liquidity and price based buyout.

General Information

Platform: Code4rena

Start Date: 21/06/2022

Pot Size: $30,000 USDC

Total HM: 12

Participants: 96

Period: 3 days

Judge: HardlyDifficult

Total Solo HM: 5

Id: 140

League: ETH

Nibbl

Findings Distribution

Researcher Performance

Rank: 91/96

Findings: 1

Award: $17.23

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryNibbl

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0v3rf10w, 0x1f8b, 0x29A, 0xKitsune, 0xNazgul, 0xf15ers, 0xkatana, 8olidity, ACai, BowTiedWardens, Chandr, Chom, ElKu, Fitraldys, Funen, IgnacioB, JC, Lambda, Limbooo, MiloTruck, Noah3o6, Nyamcil, Picodes, Randyyy, SmartSek, StErMi, TerrierLover, TomJ, Tomio, UnusualTurtle, Waze, _Adam, ajtra, c3phas, cRat1st0s, catchup, codexploder, cryptphi, defsec, delfin454000, ellahi, exd0tpy, fatherOfBlocks, hansfriese, joestakey, kebabsec, kenta, m_Rassska, minhquanym, oyc_109, pashov, reassor, rfa, robee, sach1r0, saian, sashik_eth, simon135, slywaters, ych18, ynnad, zuhaibmohd

Awards

17.2254 USDC - $17.23

Labels

bug
duplicate
G (Gas Optimization)

External Links

Link to GitHub issue

Gas saving require instead &&

MPACT Require statements including conditions with the && operator can be broken down in multiple require statements to save gas.

PROOF OF CONCEPT

Instance: https://github.com/NibblNFT/nibbl-smartcontracts/blob/master/contracts/NibblVaultFactory.sol#L107 require(basketUpdateTime != 0 && block.timestamp >= basketUpdateTime, "NibblVaultFactory: UPDATE_TIME has not passed");

Mitigation: require(basketUpdateTime != 0); require block.timestamp >= basketUpdateTime, "NibblVaultFactory: UPDATE_TIME has not passed");

Instance: https://github.com/NibblNFT/nibbl-smartcontracts/blob/master/contracts/NibblVaultFactory.sol#L131 require(feeToUpdateTime != 0 && block.timestamp >= feeToUpdateTime, "NibblVaultFactory: UPDATE_TIME has not passed");

Mitigation: require(feeToUpdateTime != 0 ; require block.timestamp >= feeToUpdateTime, "NibblVaultFactory: UPDATE_TIME has not passed");

Instance: https://github.com/NibblNFT/nibbl-smartcontracts/blob/master/contracts/NibblVaultFactory.sol#L149 require(feeAdminUpdateTime != 0 && block.timestamp >= feeAdminUpdateTime, "NibblVaultFactory: UPDATE_TIME has not passed");

Mitigation: require(feeAdminUpdateTime != 0 ; require block.timestamp >= feeAdminUpdateTime, "NibblVaultFactory: UPDATE_TIME has not passed");

Instance: https://github.com/NibblNFT/nibbl-smartcontracts/blob/master/contracts/NibblVaultFactory.sol#L166 require(feeAdminUpdateTime != 0 && block.timestamp >= feeAdminUpdateTime, "NibblVaultFactory: UPDATE_TIME has not passed");

Mitigation: require(feeAdminUpdateTime != 0 ; require block.timestamp >= feeAdminUpdateTime, "NibblVaultFactory: UPDATE_TIME has not passed");

Instance: https://github.com/NibblNFT/nibbl-smartcontracts/blob/master/contracts/Bancor/BancorFormula.sol#L188 require(_supply > 0 && _connectorBalance > 0 && _connectorWeight > 0 && _connectorWeight <= MAX_WEIGHT);

Mitigation: require(_supply > 0 ; require _connectorBalance > 0; require _connectorWeight > 0 ; require _connectorWeight <= MAX_WEIGHT);

Instance: https://github.com/NibblNFT/nibbl-smartcontracts/blob/master/contracts/Bancor/BancorFormula.sol#L219 require(_supply > 0 && _connectorBalance > 0 && _connectorWeight > 0 && _connectorWeight <= MAX_WEIGHT && _sellAmount <= _supply);

Mitigation: require(_supply > 0 ; require _connectorBalance > 0; require _connectorWeight > 0; require _connectorWeight <= MAX_WEIGHT; require _sellAmount <= _supply);

Gas saving prefix postfix

IMPACT Prefix increments are cheaper than postfix increments.

PROOF OF CONCEPT

Instance: https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/Basket.sol#L43 for (uint256 i = 0; i < _tokens.length; i++) {

Mitigation: for (uint256 i = 0; i < _tokens.length; ++i) {

Instance: https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/Basket.sol#L70 for (uint256 i = 0; i < _tokens.length; i++) {

Mitigation: for (uint256 i = 0; i < _tokens.length; ++i) {

Instance: https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/Basket.sol#L93 for (uint256 i = 0; i < _tokens.length; i++) {

Mitigation: for (uint256 i = 0; i < _tokens.length; ++i) {

Instance: https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/NibblVaultFactory.sol#L506 for (uint256 i = 0; i < _tokens.length; i++) {for (uint256 i = 0; i < _assetAddresses.length; i++) {

Mitigation: for (uint256 i = 0; i < _tokens.length; i++) {for (uint256 i = 0; i < _assetAddresses.length; ++i) {

Instance: https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/NibblVaultFactory.sol#L525 for (uint256 i = 0; i < _assets.length; i++) {

Mitigation: for (uint256 i = 0; i < _assets.length; ++i) {

Instance: https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/NibblVaultFactory.sol#L547 for (uint256 i = 0; i < _assets.length; i++) {

Mitigation: for (uint256 i = 0; i < _assets.length; ++i) {

Instance: https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/NibblVaultFactory.sol#L562 bytes32 structHash = keccak256(abi.encode(PERMIT_TYPEHASH, owner, spender, value, nonces[owner]++, deadline));

Mitigation: bytes32 structHash = keccak256(abi.encode(PERMIT_TYPEHASH, owner, spender, value, ++nonces[owner], deadline));

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter