Back to abhinavmir's contests

Infinity NFT Marketplace contest - abhinavmir's results

The world's most advanced NFT marketplace.

General Information

Platform: Code4rena

Start Date: 14/06/2022

Pot Size: $50,000 USDC

Total HM: 19

Participants: 99

Period: 5 days

Judge: HardlyDifficult

Total Solo HM: 4

Id: 136

League: ETH

Infinity NFT Marketplace

Findings Distribution

Researcher Performance

Rank: 80/99

Findings: 1

Award: $48.98

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryInfinity NFT Marketplace

Findings Information

🌟 Selected for report: joestakey

Also found by: 0x1f8b, 0x29A, 0x52, 0xDjango, 0xNazgul, 0xNineDec, 0xf15ers, 0xkowloon, 0xmint, 8olidity, BowTiedWardens, Chom, Cityscape, Czar102, ElKu, FSchmoede, Funen, GimelSec, GreyArt, IllIllI, KIntern, Kaiziron, Kenshin, Lambda, MadWookie, MiloTruck, PPrieditis, Picodes, Ruhum, Sm4rty, StErMi, TerrierLover, TomJ, Treasure-Seeker, VAD37, WatchPug, Wayne, _Adam, a12jmx, abhinavmir, antonttc, apostle0x01, asutorufos, berndartmueller, cccz, cloudjunky, codexploder, cryptphi, csanuragjain, defsec, delfin454000, fatherOfBlocks, georgypetrov, hake, hansfriese, horsefacts, hyh, k, kenta, nxrblsrpr, oyc_109, peritoflores, rajatbeladiya, reassor, rfa, robee, sach1r0, saian, samruna, shenwilly, simon135, sorrynotsorry, sseefried, throttle, unforgiven, wagmi, zzzitron

Awards

48.9769 USDC - $48.98

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

Audit of Infinity NFT Marketplace

Transfers ETH without require check

_transferFees() - Found here

While this is in an internal function, it is being called a few times earlier. The require functions to protect this internal function seem to focus on metadata of currency and such. A require function that whitelists who can and cannot access _transferFees() will probably add an extra layer of security. Related details here (SWC-105).

Divides before multiply

This is a low level severity, but can be exploited in specific scenarios. Since the variable dependency runs deep, there is added layer of ambiguity.

Instances found -

  1. Calculating price difference - also found in InfinityOrderBookComplication.
  2. PortionBPS - also found in InfinityOrderBookComplication.
  3. epochsPassedSinceLastAdvance - depends on division before multiplication and block.timestamp - both unreliable in the right circumstance (although, latter is practically a non-threat on main-net Ethereum due to chain maturity). Found here.

Functions that update parameters don't emit events

Usually, it is a good idea to emit events whenever variables that act as parameters later are changed. updateStakeLevelThreshold and updatePenalties both have this property as seen here.

Calls inside loops

This is probably fundamentally necessary to Infinity, but with some rearchitecting/using the frontend, is it possible to reduce this? Ref. this.

Another thing to keep in mind is that Ethereum usually prefers pull over push when giving out NFTs.

There are around 12 instances of this - maybe all multiple calls have no other option. Anyway, listed as follows-

  1. _transferERC1155
  2. _nftsHash
  3. _tokensHash
  4. matchOneToOneOrders
  5. matchOneToManyOrders has two instances, here's another one.
  6. matchOrders
  7. takeMultipleOneOrders
  8. takeOrders
  9. cancelMultipleOrders
  10. _transferMultipleNFTs
  11. _transferERC721
  12. _tokensHash

Gas optimisation by using the external keyword

getUserTotalStaked() uses public, which could instead be external (since it isn't used anywhere else in the codebase). Saves you a small amount of gas. This is also true for getUserTotalVested().

#0 - nneverlander

2022-06-23T12:43:02Z

Thanks

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter