Back to Rolezn's contests

Art Gobblers contest - Rolezn's results

Experimental Decentralized Art Factory By Justin Roiland and Paradigm.

General Information

Platform: Code4rena

Start Date: 20/09/2022

Pot Size: $100,000 USDC

Total HM: 4

Participants: 109

Period: 7 days

Judge: GalloDaSballo

Id: 163

League: ETH

Art Gobblers

Findings Distribution

Researcher Performance

Rank: 72/109

Findings: 1

Award: $55.20

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryArt Gobblers

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0x4non, 0x52, 0x5rings, 0xNazgul, 0xRobocop, 0xSmartContract, 0xdeadbeef, 0xsanson, 8olidity, Amithuddar, Aymen0909, B2, B353N, CertoraInc, Ch_301, Chom, CodingNameKiki, Deivitto, ElKu, Funen, JC, JohnnyTime, Kresh, Lambda, Noah3o6, RaymondFam, ReyAdmirado, RockingMiles, Rolezn, Sm4rty, SuldaanBeegsi, Tadashi, TomJ, Tomio, V_B, Waze, __141345__, a12jmx, ak1, arcoun, asutorufos, aviggiano, berndartmueller, bharg4v, bin2chen, brgltd, bulej93, c3phas, catchup, cccz, ch0bu, cryptonue, cryptphi, csanuragjain, delfin454000, devtooligan, djxploit, durianSausage, eighty, erictee, exd0tpy, fatherOfBlocks, giovannidisiena, hansfriese, ignacio, joestakey, ladboy233, lukris02, m9800, malinariy, martin, minhtrng, obront, oyc_109, pedr02b2, pedroais, pfapostol, philogy, prasantgupta52, rbserver, ronnyx2017, rotcivegaf, rvierdiiev, sach1r0, shung, simon135, throttle, tnevler, tonisives, wagmi, yixxas, zkhorse, zzykxx, zzzitron

Awards

55.1985 USDC - $55.20

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

Total Low Severity: 3 Total Non-Critical Severity: 6

(1) Use _safeMint instead of _mint

Severity: Low

According to openzepplin's ERC721, the use of _mint is discouraged, use _safeMint whenever possible. https://docs.openzeppelin.com/contracts/3.x/api/token/erc721#ERC721-_mint-address-uint256-

Proof Of Concept

_mint(msg.sender, gobblerId);

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/ArtGobblers.sol#L356

_mint(msg.sender, gobblerId);

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/ArtGobblers.sol#L389

_mint(to, amount);

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/Goo.sol#L102

_mint(msg.sender, pageId);

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/Pages.sol#L211

for (uint256 i = 0; i < numPages; i++) _mint(community, ++lastMintedPageId);

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/Pages.sol#L251

Use _safeMint whenever possible instead of _mint

(2) Missing Checks for Address(0x0)

Severity: Low

Proof Of Concept

function transferOwnership(address _to)
external
onlyOwner()

{ https://github.com/code-423n4/2022-09-artgobblers/tree/main/lib/chainlink/contracts/src/v0.6/Owned.sol#L30

Consider adding zero-address checks in the mentioned codebase.

(3) Use Safetransfer Instead Of Transfer

Severity: Low

It is good to add a require() statement that checks the return value of token transfers or to use something like OpenZeppelin’s safeTransfer/safeTransferFrom unless one is sure the given token reverts in case of a failure. Failure to do so will cause silent failures of transfers and affect token accounting in contract.

Proof Of Concept

: ERC721(nft).transferFrom(msg.sender, address(this), id);

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/ArtGobblers.sol#L748

artGobblers.transferFrom(address(this), to, ids[i]);

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/utils/GobblerReserve.sol#L38

Consider using safeTransfer/safeTransferFrom or require() consistently.

(4) Constants Should Be Defined Rather Than Using Magic Numbers

Severity: Non-Critical

Proof Of Concept

        interfaceId == 0x01ffc9a7 || // ERC165 Interface ID for ERC165

https://github.com/code-423n4/2022-09-artgobblers/tree/main/lib/solmate/src/tokens/ERC721.sol#L148

        interfaceId == 0x01ffc9a7 || // ERC165 Interface ID for ERC165

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/utils/token/GobblersERC1155B.sol#L126

        interfaceId == 0x01ffc9a7 || // ERC165 Interface ID for ERC165

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/utils/token/GobblersERC721.sol#L151

        interfaceId == 0x01ffc9a7 || // ERC165 Interface ID for ERC165

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/utils/token/PagesERC721.sol#L164

(5) Missing parameter validation

Severity: Non-Critical

Some parameters of constructors are not checked for invalid values.

Proof Of Concept

address _owner

https://github.com/code-423n4/2022-09-artgobblers/tree/main/lib/solmate/src/auth/Owned.sol#L29

address _teamColdWallet

https://github.com/code-423n4/2022-09-artgobblers/tree/main/script/deploy/DeployBase.s.sol#L38

address _vrfCoordinator

https://github.com/code-423n4/2022-09-artgobblers/tree/main/script/deploy/DeployBase.s.sol#L41

address _linkToken

https://github.com/code-423n4/2022-09-artgobblers/tree/main/script/deploy/DeployBase.s.sol#L42

address _team

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/ArtGobblers.sol#L294

address _community

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/ArtGobblers.sol#L295

address _artGobblers

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/Goo.sol#L82

address _pages

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/Goo.sol#L82

address _community

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/Pages.sol#L161

address _owner

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/utils/GobblerReserve.sol#L23

address _vrfCoordinator

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/utils/rand/ChainlinkV1RandProvider.sol#L50

address _linkToken

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/utils/rand/ChainlinkV1RandProvider.sol#L51

Validate the parameters.

(6) Implementation contract may not be initialized

OpenZeppelin recommends that the initializer modifier be applied to constructors. Per OZs Post implementation contract should be initialized to avoid potential griefs or exploits. https://forum.openzeppelin.com/t/uupsupgradeable-vulnerability-post-mortem/15680/5

Severity: Non-Critical

Proof Of Concept

constructor(
    // Mint config:
    bytes32 _merkleRoot,
    uint256 _mintStart,
    // Addresses:
    Goo _goo,
    Pages _pages,
    address _team,
    address _community,
    RandProvider _randProvider,
    // URIs:
    string memory _baseUri,
    string memory _unrevealedUri
)
    GobblersERC721("Art Gobblers", "GOBBLER")
    Owned(msg.sender)
    LogisticVRGDA(
        69.42e18, // Target price.
        0.31e18, // Price decay percent.
        // Max gobblers mintable via VRGDA.
        toWadUnsafe(MAX_MINTABLE),
        0.0023e18 // Time scale.
    )
{

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/ArtGobblers.sol#L287-L310

constructor(address _artGobblers, address _pages) {
    artGobblers = _artGobblers;
    pages = _pages;
}

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/Goo.sol#82-L85

constructor(
    // Mint config:
    uint256 _mintStart,
    // Addresses:
    Goo _goo,
    address _community,
    ArtGobblers _artGobblers,
    // URIs:
    string memory _baseUri
)
    PagesERC721(_artGobblers, "Pages", "PAGE")
    LogisticToLinearVRGDA(
        4.2069e18, // Target price.
        0.31e18, // Price decay percent.
        9000e18, // Logistic asymptote.
        0.014e18, // Logistic time scale.
        SOLD_BY_SWITCH_WAD, // Sold by switch.
        SWITCH_DAY_WAD, // Target switch day.
        9e18 // Pages to target per day.
    )
{

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/Pages.sol#L156-L176

constructor(ArtGobblers _artGobblers, address _owner) Owned(_owner) {
    artGobblers = _artGobblers;
}

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/utils/GobblerReserve.sol#L23-L25

(7) Use a more recent version of Solidity

Severity: Non-Critical

Use a solidity version of at least 0.8.4 to get bytes.concat() instead of abi.encodePacked(<bytes>,<bytes>) Use a solidity version of at least 0.8.12 to get string.concat() instead of abi.encodePacked(<str>,<str>) Use a solidity version of at least 0.8.13 to get the ability to use using for with a list of free functions

Proof Of Concept

Found old version 0.8.0 of Solidity

https://github.com/code-423n4/2022-09-artgobblers/tree/main/lib/goo-issuance/src/LibGOO.sol#L2

Found old version 0.8.0 of Solidity

https://github.com/code-423n4/2022-09-artgobblers/tree/main/lib/solmate/src/tokens/ERC721.sol#L2

Found old version 0.8.0 of Solidity

https://github.com/code-423n4/2022-09-artgobblers/tree/main/lib/solmate/src/utils/FixedPointMathLib.sol#L2

Found old version 0.8.0 of Solidity

https://github.com/code-423n4/2022-09-artgobblers/tree/main/lib/solmate/src/utils/LibString.sol#L2

Found old version 0.8.0 of Solidity

https://github.com/code-423n4/2022-09-artgobblers/tree/main/lib/solmate/src/utils/MerkleProofLib.sol#L2

Found old version 0.8.0 of Solidity

https://github.com/code-423n4/2022-09-artgobblers/tree/main/lib/solmate/src/utils/SignedWadMath.sol#L2

Found old version 0.8.0 of Solidity

https://github.com/code-423n4/2022-09-artgobblers/tree/main/lib/VRGDAs/src/LinearVRGDA.sol#L2

Found old version 0.8.0 of Solidity

https://github.com/code-423n4/2022-09-artgobblers/tree/main/lib/VRGDAs/src/LogisticToLinearVRGDA.sol#L2

Found old version 0.8.0 of Solidity

https://github.com/code-423n4/2022-09-artgobblers/tree/main/lib/VRGDAs/src/LogisticVRGDA.sol#L2

Found old version 0.8.0 of Solidity

https://github.com/code-423n4/2022-09-artgobblers/tree/main/lib/VRGDAs/src/VRGDA.sol#L2

Found old version 0.8.0 of Solidity

https://github.com/code-423n4/2022-09-artgobblers/tree/main/script/deploy/DeployBase.s.sol#L2

Found old version 0.8.0 of Solidity

https://github.com/code-423n4/2022-09-artgobblers/tree/main/script/deploy/DeployRinkeby.s.sol#L2

Found old version 0.8.0 of Solidity

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/ArtGobblers.sol#L2

Found old version 0.8.0 of Solidity

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/Goo.sol#L2

Found old version 0.8.0 of Solidity

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/Pages.sol#L2

Found old version 0.8.0 of Solidity

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/utils/GobblerReserve.sol#L2

Found old version 0.8.0 of Solidity

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/utils/rand/ChainlinkV1RandProvider.sol#L2

Found old version 0.8.0 of Solidity

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/utils/token/GobblersERC1155B.sol#L2

Found old version 0.8.0 of Solidity

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/utils/token/GobblersERC721.sol#L2

Found old version 0.8.0 of Solidity

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/utils/token/PagesERC721.sol#L2

Consider updating to a more recent solidity version.

(8) Unused event may be unused code or indicative of missed emit/logic

Severity: Non-Critical

Events that are declared but not used may be indicative of unused declarations where it makes sense to remove them for better readability/maintainability/auditability, or worse indicative of a missing emit which is bad for monitoring or missing logic that would have emitted that event.

Proof Of Concept

event URI

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/utils/token/GobblersERC1155B.sol#L31

Add emit or remove event declaration.

(9) Large multiples of ten should use scientific notation

Severity: Non-Critical

Use (e.g. 1e6) rather than decimal literals (e.g. 100000), for better code readability.

Proof Of Concept

    r := mul(x, 1000000000000000000)

https://github.com/code-423n4/2022-09-artgobblers/tree/main/lib/solmate/src/utils/SignedWadMath.sol#L11

    r := div(mul(x, 1000000000000000000), 86400)

https://github.com/code-423n4/2022-09-artgobblers/tree/main/lib/solmate/src/utils/SignedWadMath.sol#L21

    r := div(mul(x, 86400), 1000000000000000000)

https://github.com/code-423n4/2022-09-artgobblers/tree/main/lib/solmate/src/utils/SignedWadMath.sol#L31

    r := sdiv(mul(x, y), 1000000000000000000)

https://github.com/code-423n4/2022-09-artgobblers/tree/main/lib/solmate/src/utils/SignedWadMath.sol#L39

    r := sdiv(mul(x, 1000000000000000000), y)

https://github.com/code-423n4/2022-09-artgobblers/tree/main/lib/solmate/src/utils/SignedWadMath.sol#L48

    r := sdiv(r, 1000000000000000000)

https://github.com/code-423n4/2022-09-artgobblers/tree/main/lib/solmate/src/utils/SignedWadMath.sol#L63

    if iszero(and(iszero(iszero(y)), eq(sdiv(r, 1000000000000000000), x))) {

https://github.com/code-423n4/2022-09-artgobblers/tree/main/lib/solmate/src/utils/SignedWadMath.sol#L73

uint256 public constant MAX_SUPPLY = 10000;

https://github.com/code-423n4/2022-09-artgobblers/tree/main/src/ArtGobblers.sol#L112

#0 - GalloDaSballo

2022-10-06T18:52:06Z

(1) Use _safeMint instead of _mint L

(2) Missing Checks for Address(0x0) L

(3) Use Safetransfer Instead Of Transfer L

(4) Constants Should Be Defined Rather Than Using Magic Numbers Disagree for instances presented

(5) Missing parameter validation Same as 2

(6) Implementation contract may not be initialized Invalid and shows a lack of understanding of immutable contracts

(7) Use a more recent version of Solidity NC

(8) Unused event may be unused code or indicative of missed emit/logic Valid R

(9) Large multiples of ten should use scientific notation Disagree for the instances offered, this is low level code

#1 - GalloDaSballo

2022-10-06T18:52:57Z

I can tell it's from a script, it would benefit by not pasting the same line of code needlessly It's passable, I think I wouldn't close this with new rules, although I know there are better reports

#2 - GalloDaSballo

2022-10-13T23:56:45Z

3L 1R 1NC

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter