ParaSpace contest - Mukund's results

The First Ever Cross-Margin NFT Financialization Protocol.

General Information

Platform: Code4rena

Start Date: 28/11/2022

Pot Size: $192,500 USDC

Total HM: 33

Participants: 106

Period: 11 days

Judge: LSDan

Total Solo HM: 15

Id: 186

League: ETH

ParaSpace

Findings Distribution

Researcher Performance

Rank: 62/106

Findings: 2

Award: $109.55

QA:

grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository ParaSpace

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x4non, 0x52, 0xAgro, 0xNazgul, 0xSmartContract, 0xackermann, 9svR6w, Awesome, Aymen0909, B2, BRONZEDISC, Bnke0x0, Deekshith99, Deivitto, Diana, Dravee, HE1M, Jeiwan, Kaiziron, KingNFT, Lambda, Mukund, PaludoX0, RaymondFam, Rolezn, Sathish9098, Secureverse, SmartSek, __141345__, ahmedov, ayeslick, brgltd, cccz, ch0bu, chrisdior4, cryptonue, cryptostellar5, csanuragjain, datapunk, delfin454000, erictee, gz627, gzeon, helios, i_got_hacked, ignacio, imare, jadezti, jayphbee, joestakey, kankodu, ksk2345, ladboy233, martin, nadin, nicobevi, oyc_109, pashov, pavankv, pedr02b2, pzeus, rbserver, ronnyx2017, rvierdiiev, shark, unforgiven, xiaoming90, yjrwkk

Awards

103.9175 USDC - $103.92

Labels

bug

grade-b

QA (Quality Assurance)

edited-by-warden

Q-30

External Links

Link to GitHub issue

UNUSED/EMPTY RECEIVE()/FALLBACK() FUNCTION

If the intention is for the Ether to be used, the function should call another function, otherwise it should revert (e.g. require(msg.sender == address(weth))). Having no access control on the function means that someone may send Ether to the contract, and have no way to get anything back out, which is a loss of funds https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/protocol/tokenization/NTokenUniswapV3.sol#L149

Some important function should emit who called this functions with `msg.sender` even though its only callable by admin for future logs maybe a admin exploit it

NToken.sol#L127-L134 NToken.sol#L151-L166

EVENTS IS MISSING INDEXED FIELD

Use at least 3 indexed field in events IPoolConfigurator.sol#L19-L24 IPoolConfigurator.sol#L40-L45 IPoolConfigurator.sol#L80-L84

SOME OF THE FUNCTION IS MISSING ZERO ADDRESS CHECK

PoolAddressesProvider.sol#L70-L78 PoolAddressesProvider.sol#L182-L193 PriceOracleSentinel.sol#L91-L97

CONSTANT ARE REDEFINED ELSE WHERE

same constant are redefined in multiple contract it should be added in a library and used in different contracts without defining then again and again PoolCore.sol#L53 PoolMarketplace.sol#L56 PoolParameters.sol#L49

#0 - c4-judge
2023-01-25T16:09:37Z

dmvt marked the issue as grade-b

ParaSpace contest - Mukund's results

The First Ever Cross-Margin NFT Financialization Protocol.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-30] QA Report - $103.92

Findings Information

Awards

Labels

External Links

UNUSED/EMPTY RECEIVE()/FALLBACK() FUNCTION

Some important function should emit who called this functions with msg.sender even though its only callable by admin for future logs maybe a admin exploit it

EVENTS IS MISSING INDEXED FIELD

SOME OF THE FUNCTION IS MISSING ZERO ADDRESS CHECK

CONSTANT ARE REDEFINED ELSE WHERE

#0 - c4-judge2023-01-25T16:09:37Z

Some important function should emit who called this functions with `msg.sender` even though its only callable by admin for future logs maybe a admin exploit it

#0 - c4-judge
2023-01-25T16:09:37Z