Nibbl contest - Treasure-Seeker's results

NFT fractionalization protocol with guaranteed liquidity and price based buyout.

General Information

Platform: Code4rena

Start Date: 21/06/2022

Pot Size: $30,000 USDC

Total HM: 12

Participants: 96

Period: 3 days

Judge: HardlyDifficult

Total Solo HM: 5

Id: 140

League: ETH

Nibbl

Findings Distribution

Researcher Performance

Rank: 83/96

Findings: 1

Award: $28.28

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Nibbl

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0x29A, 0x52, 0xNazgul, 0xNineDec, 0xc0ffEE, 0xf15ers, 0xkatana, BowTiedWardens, Chom, ElKu, Funen, GalloDaSballo, JC, JMukesh, JohnSmith, Lambda, Limbooo, MadWookie, MiloTruck, Nethermind, Noah3o6, Nyamcil, Picodes, PwnedNoMore, Randyyy, RoiEvenHaim, SmartSek, StErMi, Tadashi, TerrierLover, TomJ, Tomio, Treasure-Seeker, UnusualTurtle, Varun_Verma, Wayne, Waze, _Adam, apostle0x01, asutorufos, berndartmueller, c3phas, catchup, cccz, cloudjunky, codexploder, cryptphi, defsec, delfin454000, dipp, ellahi, exd0tpy, fatherOfBlocks, hansfriese, hyh, joestakey, kebabsec, kenta, masterchief, minhquanym, naps62, oyc_109, pashov, peritoflores, reassor, rfa, robee, sach1r0, saian, sashik_eth, shenwilly, simon135, slywaters, sorrynotsorry, sseefried, unforgiven, xiaoming90, ych18, zuhaibmohd, zzzitron

Awards

28.2782 USDC - $28.28

Labels

bug

QA (Quality Assurance)

sponsor disputed

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-06-nibbl/blob/8c3dbd6adf350f35c58b31723d42117765644110/contracts/Proxy/ProxyVault.sol#L56 https://github.com/code-423n4/2022-06-nibbl/blob/8c3dbd6adf350f35c58b31723d42117765644110/contracts/NibblVault.sol#L585

Vulnerability details

Impact

The ProxyVault and NibblVault contracts has an empty receive function implementation. This can cause a loss of funds as people may by mistake send the contract some eth, and will never be able to recover this ETH.

Proof of Concept

Easy way to check is try sending the ProxyVault or NibblVault contract some eth. There is no way to now withdraw this ETH (stuck forever)

Tools Used

VS Code

Recommended Mitigation Steps

Delete receive function

#0 - mundhrakeshav
2022-06-30T11:14:35Z

The funds in vault are redeemed by users.

#1 - HardlyDifficult
2022-07-03T23:47:55Z

Agree it seems the receive function does not add value and should be removed to prevent user error. But the funds are accounted for in redeem so funds are not lost. Downgrading and converting this into a QA report for the warden.

Nibbl contest - Treasure-Seeker's results

NFT fractionalization protocol with guaranteed liquidity and price based buyout.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-39] QA Report - $28.28

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

#0 - mundhrakeshav2022-06-30T11:14:35Z

#1 - HardlyDifficult2022-07-03T23:47:55Z

#0 - mundhrakeshav
2022-06-30T11:14:35Z

#1 - HardlyDifficult
2022-07-03T23:47:55Z