Back to UnusualTurtle's contests

Nibbl contest - UnusualTurtle's results

NFT fractionalization protocol with guaranteed liquidity and price based buyout.

General Information

Platform: Code4rena

Start Date: 21/06/2022

Pot Size: $30,000 USDC

Total HM: 12

Participants: 96

Period: 3 days

Judge: HardlyDifficult

Total Solo HM: 5

Id: 140

League: ETH

Nibbl

Findings Distribution

Researcher Performance

Rank: 34/96

Findings: 2

Award: $47.19

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryNibbl

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0x29A, 0x52, 0xNazgul, 0xNineDec, 0xc0ffEE, 0xf15ers, 0xkatana, BowTiedWardens, Chom, ElKu, Funen, GalloDaSballo, JC, JMukesh, JohnSmith, Lambda, Limbooo, MadWookie, MiloTruck, Nethermind, Noah3o6, Nyamcil, Picodes, PwnedNoMore, Randyyy, RoiEvenHaim, SmartSek, StErMi, Tadashi, TerrierLover, TomJ, Tomio, Treasure-Seeker, UnusualTurtle, Varun_Verma, Wayne, Waze, _Adam, apostle0x01, asutorufos, berndartmueller, c3phas, catchup, cccz, cloudjunky, codexploder, cryptphi, defsec, delfin454000, dipp, ellahi, exd0tpy, fatherOfBlocks, hansfriese, hyh, joestakey, kebabsec, kenta, masterchief, minhquanym, naps62, oyc_109, pashov, peritoflores, reassor, rfa, robee, sach1r0, saian, sashik_eth, shenwilly, simon135, slywaters, sorrynotsorry, sseefried, unforgiven, xiaoming90, ych18, zuhaibmohd, zzzitron

Awards

28.3658 USDC - $28.37

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

1. NATSPEC IS INCOMPLETE

Examples of this issue in the codebase:

  1. File: contracts\NibblVaultFactory.sol missing @return (Line 38)

  2. File: contracts\NibblVaultFactory.sol missing @return (Line 64)

  3. File: contracts\NibblVaultFactory.sol missing @return @param _curator @param _mix (Line 80)

2. constants should be defined rather than using magic numbers

Examples of this issue in the codebase:

  1. File: contracts\NibblVault.sol (Line 176)

  2. File: contracts\NibblVault.sol (Line 183)

3. Missing checks for address(0x0) when assigning values to address state variables

Examples of this issue in the codebase:

  1. File: contracts\NibblVault.sol (Line 191)

  2. File: contracts\NibblVault.sol (Line 193)

4. Use a more recent version of solidity

Use a solidity version of at least 0.8.12 to get string.concat() to be used instead of abi.encodePacked(,) Examples of this issue in the codebase:

  1. File: contracts\NibblVaultFactory.sol (Line 3)

5. abi.encodePacked() should not be used with dynamic types when passing the result to a hash function such as keccak256()

Examples of this issue in the codebase:

  1. File: contracts\NibblVaultFactory.sol (Line 70)

  2. File: contracts\NibblVaultFactory.sol (Line 91)

6. Unused receive() function will lock Ether in contract

If the intention is for the Ether to be used, the function should call another function, otherwise it should revert Examples of this issue in the codebase:

  1. File: contracts\NibblVaultFactory.sol (Line 183)

  2. File: contracts\NibblVault.sol (Line 585)

6. Unused receive() function will lock Ether in contract

If the intention is for the Ether to be used, the function should call another function, otherwise, it should revert Examples of this issue in the codebase:

  1. File: contracts\NibblVaultFactory.sol (Line 183)

  2. File: contracts\NibblVault.sol (Line 585)

7. Constant redefined elsewhere

Consider defining in only one contract so that values cannot become out of sync when only one location is updated. If the variable is a local cache of another contract's value, consider making the cache variable internal or private, which will require external users to query the contract with the source of truth, so that callers don't get out of sync.

Example of this issue in the codebase: factory is seen in File: contracts\NibblVault.sol (Line 60) and File: contracts\ProxyFault.sol (Line 17)

#0 - HardlyDifficult

2022-07-04T19:23:54Z

All valid considerations

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0v3rf10w, 0x1f8b, 0x29A, 0xKitsune, 0xNazgul, 0xf15ers, 0xkatana, 8olidity, ACai, BowTiedWardens, Chandr, Chom, ElKu, Fitraldys, Funen, IgnacioB, JC, Lambda, Limbooo, MiloTruck, Noah3o6, Nyamcil, Picodes, Randyyy, SmartSek, StErMi, TerrierLover, TomJ, Tomio, UnusualTurtle, Waze, _Adam, ajtra, c3phas, cRat1st0s, catchup, codexploder, cryptphi, defsec, delfin454000, ellahi, exd0tpy, fatherOfBlocks, hansfriese, joestakey, kebabsec, kenta, m_Rassska, minhquanym, oyc_109, pashov, reassor, rfa, robee, sach1r0, saian, sashik_eth, simon135, slywaters, ych18, ynnad, zuhaibmohd

Awards

18.8156 USDC - $18.82

Labels

bug
duplicate
G (Gas Optimization)

External Links

Link to GitHub issue

1. SPLITTING REQUIRE() STATEMENTS THAT USE && SAVES GAS

Examples of this issue in the codebase:

  1. File: contracts\NibblVaultFactory.sol (Line 107)

  2. File: contracts\NibblVaultFactory.sol (Line 131)

2. USING > 0 COSTS MORE GAS THAN != 0 WHEN USED ON A UINT

Examples of this issue in the codebase:

  1. File: contracts\NibblVault.sol (Line 227)

  2. File: contracts\NibblVault.sol (Line 243)

3. USE CUSTOM ERRORS RATHER THAN REVERT()/REQUIRE() STRINGS TO SAVE DEPLOYMENT GAS

Examples of this issue in the codebase:

  1. File: contracts\Basket.sol (Line 36)

  2. File: contracts\NibblVaultFactory.sol (Line 149)

4. UNUSED SafeMath AND SafeMath IS NO LONGER NEEDED STARTING WITH SOLIDITY 0.8

Examples of this issue in the codebase:

  1. File: contracts\NibblVaultFactory.sol (Line 9)

5. SPLITTING REQUIRE() STATEMENTS THAT USE && SAVES GAS

Examples of this issue in the codebase:

  1. File: contracts\NibblVaultFactory.sol (Line 131)

  2. File: contracts\NibblVaultFactory.sol (Line 107)

6. X = X + Y IS CHEAPER THAN X += Y

Examples of this issue in the codebase:

  1. File: contracts\NibblVaultFactory.sol (Line 383)

  2. File: contracts\NibblVaultFactory.sol (Line 322)

7. ++I COSTS LESS GAS THAN ++I, ESPECIALLY WHEN IT’S USED IN FOR-LOOPS (--I/I-- TOO)

Examples of this issue in the codebase:

  1. File: contracts\Basket.sol (Line 43)

  2. File: contracts\Basket.sol (Line 70)

8. ++I/I++ SHOULD BE UNCHECKED{++I}/UNCHECKED{++I} WHEN IT IS NOT POSSIBLE FOR THEM TO OVERFLOW, AS IS THE CASE WHEN USED IN FOR- AND WHILE-LOOPS

Examples of this issue in the codebase:

  1. File: contracts\Basket.sol (Line 93)

  2. File: contracts\NibblVaultFactory.sol (Line 506)

9. AVOIDING INITIALIZATION OF LOOP INDEX CAN SAVE A LITTLE GAS

Examples of this issue in the codebase:

  1. File: ontracts\NibblVaultFactory.sol (Line 525)

  2. File: contracts\NibblVaultFactory.sol (Line 547)

10. EXPRESSIONS FOR CONSTANT VALUES SUCH AS A CALL TO KECCAK256(), SHOULD USE IMMUTABLE RATHER THAN CONSTANT

See this issue for a detail description of the issue Example of this issue in the codebase:

  1. File: contracts\NibblVault.sol (Line 51)

  2. File: contracts\Utilities\AccessControlMechanism.sol (Line 12)

11. USE CallData INSTEAD OF MEMORY

Examples of this issue in the codebase:

  1. File: contracts\NibblVault.sol _assets can be changed to calldata (Line 523)

  2. File: contracts\NibblVault.sol _assetAddresses & _assetIDs can be changed to calldata (Line 504)

12. MINIMIZE THE NUMBER OF EXPENSIVE SLOAD CALL

Examples of this issue in the codebase:

  1. File: contracts\Twav\Twav.sol twavObservationsIndex can be cached (Line 27)

  2. File: contracts\Twav\Twav.sol twavObservations can be cached (Line 36)

#0 - mundhrakeshav

2022-06-26T13:33:10Z

https://github.com/code-423n4/2022-06-nibbl-findings/issues/2, https://github.com/code-423n4/2022-06-nibbl-findings/issues/3, https://github.com/code-423n4/2022-06-nibbl-findings/issues/6, https://github.com/code-423n4/2022-06-nibbl-findings/issues/7, https://github.com/code-423n4/2022-06-nibbl-findings/issues/8, https://github.com/code-423n4/2022-06-nibbl-findings/issues/15

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter