Back to MadWookie's contests

Nibbl contest - MadWookie's results

NFT fractionalization protocol with guaranteed liquidity and price based buyout.

General Information

Platform: Code4rena

Start Date: 21/06/2022

Pot Size: $30,000 USDC

Total HM: 12

Participants: 96

Period: 3 days

Judge: HardlyDifficult

Total Solo HM: 5

Id: 140

League: ETH

Nibbl

Findings Distribution

Researcher Performance

Rank: 74/96

Findings: 1

Award: $28.29

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryNibbl

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0x29A, 0x52, 0xNazgul, 0xNineDec, 0xc0ffEE, 0xf15ers, 0xkatana, BowTiedWardens, Chom, ElKu, Funen, GalloDaSballo, JC, JMukesh, JohnSmith, Lambda, Limbooo, MadWookie, MiloTruck, Nethermind, Noah3o6, Nyamcil, Picodes, PwnedNoMore, Randyyy, RoiEvenHaim, SmartSek, StErMi, Tadashi, TerrierLover, TomJ, Tomio, Treasure-Seeker, UnusualTurtle, Varun_Verma, Wayne, Waze, _Adam, apostle0x01, asutorufos, berndartmueller, c3phas, catchup, cccz, cloudjunky, codexploder, cryptphi, defsec, delfin454000, dipp, ellahi, exd0tpy, fatherOfBlocks, hansfriese, hyh, joestakey, kebabsec, kenta, masterchief, minhquanym, naps62, oyc_109, pashov, peritoflores, reassor, rfa, robee, sach1r0, saian, sashik_eth, shenwilly, simon135, slywaters, sorrynotsorry, sseefried, unforgiven, xiaoming90, ych18, zuhaibmohd, zzzitron

Awards

28.2899 USDC - $28.29

Labels

bug
QA (Quality Assurance)
sponsor acknowledged

External Links

Link to GitHub issue

LOW

Missing address(0) check when setting new curator

This could lead to funds being locked in contract forever.

1. File: NibblVault.sol#L183


    function updateCurator(address _newCurator) external override {
        require(msg.sender == curator,"NibblVault: Only Curator");
        curator = _newCurator;
    }

Upgradeable contract is missing a __gap[50] storage variable to allow for new storage variables in later versions

Refrenced here

1. File: NibblVault.sol#20

contract NibblVault is INibblVault, BancorFormula, ERC20Upgradeable, Twav, EIP712Base {

QA

Magic numbers should be declarded as contstants.

1. File: NibblVault.sol#L183


    uint _primaryReserveBalance = (primaryReserveRatio * _initialTokenSupply * _initialTokenPrice) / (SCALE * 1e18);

2. File: NibblVault.sol#L195


    uint _primaryReserveBalance = (primaryReserveRatio * _initialTokenSupply * _initialTokenPrice) / (SCALE * 1e18);

3. File: NibblVault.sol#L303

    uint32 _blockTimestamp = uint32(block.timestamp % 2**32);

4. File: NibblVault.sol#L303

    uint32 _blockTimestamp = uint32(block.timestamp % 2**32);

primaryReserveRatio should be written in all capitals

This varable does not conform with the other constants and should be written as PRIMARY_RESERVE_RATIO

1. File: NibblVault.sol#L195

    uint32 private constant primaryReserveRatio = 200_000; //20%

Comment seems to contradict actual code

This could just be my lack of understanding, but this comment appears to be wrong or at least not properly explained.

1. File: NibblVault.sol#L405-406

    // buyoutValuationDeposit = _currentValuation - ((primaryReserveBalance - fictitiousPrimaryReserveBalance) + secondaryReserveBalance); 
    buyoutValuationDeposit = msg.value - (_buyoutBid - _currentValuation);

#0 - HardlyDifficult

2022-07-04T18:00:23Z

Good feedback, concise report

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter