ParaSpace contest - Secureverse's results

The First Ever Cross-Margin NFT Financialization Protocol.

General Information

Platform: Code4rena

Start Date: 28/11/2022

Pot Size: $192,500 USDC

Total HM: 33

Participants: 106

Period: 11 days

Judge: LSDan

Total Solo HM: 15

Id: 186

League: ETH

ParaSpace

Findings Distribution

Researcher Performance

Rank: 89/106

Findings: 1

Award: $103.92

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository ParaSpace

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x4non, 0x52, 0xAgro, 0xNazgul, 0xSmartContract, 0xackermann, 9svR6w, Awesome, Aymen0909, B2, BRONZEDISC, Bnke0x0, Deekshith99, Deivitto, Diana, Dravee, HE1M, Jeiwan, Kaiziron, KingNFT, Lambda, Mukund, PaludoX0, RaymondFam, Rolezn, Sathish9098, Secureverse, SmartSek, __141345__, ahmedov, ayeslick, brgltd, cccz, ch0bu, chrisdior4, cryptonue, cryptostellar5, csanuragjain, datapunk, delfin454000, erictee, gz627, gzeon, helios, i_got_hacked, ignacio, imare, jadezti, jayphbee, joestakey, kankodu, ksk2345, ladboy233, martin, nadin, nicobevi, oyc_109, pashov, pavankv, pedr02b2, pzeus, rbserver, ronnyx2017, rvierdiiev, shark, unforgiven, xiaoming90, yjrwkk

Awards

103.9175 USDC - $103.92

Labels

bug

grade-b

QA (Quality Assurance)

Q-05

External Links

Link to GitHub issue

[LOW-01] return value Should be a named value rather than a expression

Instances (2):

File:   paraspace-core/contracts/misc/marketplaces/SeaportAdapter.sol

https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/misc/marketplaces/SeaportAdapter.sol#L129-L137

File:   paraspace-core/contracts/misc/UniswapV3OracleWrapper.sol

https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/misc/UniswapV3OracleWrapper.sol#L176-L180

[LOW-02] Absence of zero address checks during assigning immutable state variables values

Instances (12):

File:   paraspace-core/contracts/misc/UniswapV3OracleWrapper.sol

https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/misc/UniswapV3OracleWrapper.sol#L28
https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/misc/UniswapV3OracleWrapper.sol#L29
https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/misc/UniswapV3OracleWrapper.sol#L30

File:   paraspace-core/contracts/misc/ParaSpaceOracle.sol

https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/misc/ParaSpaceOracle.sol#L57
https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/misc/ParaSpaceOracle.sol#L58

File:   paraspace-core/contracts/misc/NFTFloorOracle.sol

https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/misc/NFTFloorOracle.sol#L58

File:   paraspace-core/contracts/protocol/pool/PoolApeStaking.sol

https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/protocol/pool/PoolApeStaking.sol#L51-L53

File:   paraspace-core/contracts/protocol/pool/PoolCore.sol

https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/protocol/pool/PoolCore.sol#L64-L66

File:   paraspace-core/contracts/protocol/pool/PoolMarketplace.sol

https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/protocol/pool/PoolMarketplace.sol#L62-L63

File:   paraspace-core/contracts/ui/WPunkGateway.sol

https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/ui/WPunkGateway.sol#L52
https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/ui/WPunkGateway.sol#L53
https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/ui/WPunkGateway.sol#L54

[LOW-03] Transfer of ownership should be a 2 step process

Instances (1):

File:   paraspace-core/contracts/protocol/configuration/PoolAddressesProvider.sol

https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/protocol/configuration/PoolAddressesProvider.sol#L47

[LOW-04] Left the default message hash

For the in-scope code MESSAGE is left to the default value

```bytes32 constant POOL_STORAGE_POSITION =
    bytes32(uint256(keccak256("paraspace.proxy.pool.storage")) - 1);```

This could cause the signature to be replayable in other applications that use the same message.

Mitigation Steps Add the proper message, most likely a TOS acknowledgement or a ipfs hash to a document.

Instances (3):

File:   paraspace-core/contracts/protocol/pool/PoolStorage.sol

https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/protocol/pool/PoolStorage.sol#L16-L17

File:   paraspace-core/contracts/protocol/tokenization/NToken.sol

https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/protocol/tokenization/NToken.sol#L32

File:   paraspace-core/contracts/protocol/tokenization/NTokenApeStaking.sol

https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/protocol/tokenization/NTokenApeStaking.sol#L24-L27

[LOW-05] Instead of magic number try to use constant state variables

Instances (1):

File:   paraspace-core/contracts/protocol/tokenization/NTokenUniswapV3.sol

https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/protocol/tokenization/NTokenUniswapV3.sol#L30

[LOW-06] Should use recent updated and stable version of solidity

Recent version of solidity are more bug free. Consider to use recent stable version of solidity

Instances (32):

File:   paraspace-core/contracts/misc/marketplaces/LooksRareAdapter.sol
File:   paraspace-core/contracts/misc/marketplaces/SeaportAdapter.sol
File:   paraspace-core/contracts/misc/marketplaces/X2Y2Adapter.sol
File:   paraspace-core/contracts/misc/NFTFloorOracle.sol
File:   paraspace-core/contracts/misc/ParaSpaceOracle.sol
File:   paraspace-core/contracts/misc/UniswapV3OracleWrapper.sol

....
....
all contracts should be updated

#0 - c4-judge
2023-01-25T10:45:27Z

dmvt marked the issue as grade-b

ParaSpace contest - Secureverse's results

The First Ever Cross-Margin NFT Financialization Protocol.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-05] QA Report - $103.92

Findings Information

Awards

Labels

External Links

[LOW-01] return value Should be a named value rather than a expression

[LOW-02] Absence of zero address checks during assigning immutable state variables values

[LOW-03] Transfer of ownership should be a 2 step process

[LOW-04] Left the default message hash

[LOW-05] Instead of magic number try to use constant state variables

[LOW-06] Should use recent updated and stable version of solidity

#0 - c4-judge2023-01-25T10:45:27Z

#0 - c4-judge
2023-01-25T10:45:27Z