Platform: Code4rena
Start Date: 18/05/2023
Pot Size: $24,500 USDC
Total HM: 3
Participants: 72
Period: 4 days
Judge: LSDan
Id: 237
League: ETH
Rank: 36/72
Findings: 1
Award: $16.19
π Selected for report: 0
π Solo Findings: 0
π Selected for report: ABA
Also found by: 0x4non, 0xHati, 0xMosh, 0xSmartContract, 0xWaitress, 0xhacksmithh, 0xnev, 0xprinc, Arabadzhiev, BLACK-PANDA-REACH, Deekshith99, Dimagu, KKat7531, Kose, LosPollosHermanos, MohammedRizwan, QiuhaoLi, RaymondFam, Rickard, Rolezn, SAAJ, Sathish9098, Shubham, SmartGooofy, Tripathi, Udsen, V1235816, adriro, arpit, ayden, bigtone, codeVolcan, d3e4, dwward3n, fatherOfBlocks, favelanky, jovemjeune, kutugu, lfzkoala, lukris02, matrix_0wl, minhquanym, ni8mare, parsely, pxng0lin, radev_sw, ravikiranweb3, rbserver, sces60107, souilos, tnevler, turvy_fuzz, yellowBirdy
16.1907 USDC - $16.19
ERC721.minthttps://github.com/code-423n4/2023-05-juicebox/blob/main/juice-buyback/contracts/JBXBuybackDelegate.sol#L205
https://github.com/code-423n4/2023-05-juicebox/blob/main/juice-buyback/contracts/JBXBuybackDelegate.sol#L207
.mint wonβt check if the recipient is able to receive the NFT. If an incorrect address is passed, it will result in a silent failure and loss of asset.
OpenZeppelin recommendation is to use the safe variant of _mint.
Manual review
Replace _mint() with _safeMint().
juice-buyback/contracts/JBXBuybackDelegate.sol 68: uint256 private constant SLIPPAGE_DENOMINATOR = 10000;
Manual review
- 68: uint256 private constant SLIPPAGE_DENOMINATOR = 10000; + 68: uint256 private constant SLIPPAGE_DENOMINATOR = 10_000;
#0 - c4-judge
2023-06-02T10:58:29Z
dmvt marked the issue as grade-b