Platform: Code4rena
Start Date: 27/04/2022
Pot Size: $50,000 MIM
Total HM: 6
Participants: 59
Period: 5 days
Judge: 0xean
Id: 113
League: ETH
Rank: 14/59
Findings: 2
Award: $748.73
🌟 Selected for report: 0
🚀 Solo Findings: 0
https://github.com/code-423n4/2022-04-abranft/blob/5cd4edc3298c05748e952f8a8c93e42f930a78c2/contracts/NFTPairWithOracle.sol#L287 https://github.com/code-423n4/2022-04-abranft/blob/5cd4edc3298c05748e952f8a8c93e42f930a78c2/contracts/NFTPairWithOracle.sol#L321
The return value bool success of oracle.get() calls is ignored. This could lead to stale data or incorrect prices due to oracle issues.
Change to
(bool success, uint256 rate) = loanParams.oracle.get(address(this), tokenId); require(success, "ORACLE: Failed"); // @audit-info add check for `success` require(rate != 0, "ORACLE: Zero"); // @audit-info add check for `rate != 0`
(bool success, uint256 rate) = params.oracle.get(address(this), tokenId); require(success, "ORACLE: Failed"); // @audit-info add check for `success` require(rate != 0, "ORACLE: Zero"); // @audit-info add check for `rate != 0`
Manual review
Add check for bool success value of oracle.get().
#0 - cryptolyndon
2022-05-05T23:02:40Z
Confirmed. Duplicate of #21
🌟 Selected for report: IllIllI
Also found by: 0x1337, 0x1f8b, 0xDjango, 0xf15ers, AuditsAreUS, BowTiedWardens, CertoraInc, Funen, GimelSec, MaratCerby, Ruhum, WatchPug, antonttc, berndartmueller, bobi, bobirichman, broccolirob, catchup, cccz, defsec, delfin454000, gs8nrv, gzeon, horsefacts, hubble, hyh, ilan, jah, joestakey, kebabsec, kenta, kenzo, m9800, mics, oyc_109, pauliax, reassor, robee, samruna, sikorico, simon135, throttle, unforgiven, z3s
215.0341 MIM - $215.03
It's best practice for a contract to inherit from it's interface. This improves the contract's clarity and makes sure the contract implementation complies with the defined interface.
contract NFTPair is BoringOwnable, Domain, IMasterContract { // @audit-info add interface INFTPair ... }
Inherit from the missing interface or contract.
Consider using Solidity version 0.8.13 instead of using solidity 0.6.12.
More recent versions of solidity have compiler optimizations, user defined types (this would be very useful in the concentratedLiquidityPools code), overriding interface functions, reading from immutables, among other things. This could help reading and writing safe and clean code.
NFTPairWithOracle.sol#L20
NFTPair.sol#L20
Consider using Solidity version 0.8.13.
Ensure that the code is well commented on both with NatSpec and inline comments for better readability and maintainability. The comments should accurately reflect what the corresponding code does.
Some functions and/or function parameters are missing NatSpec comments.
Public function updateLoanParams is missing NatSpec comment
Function parameter deadline is missing NatSpec comment
Function parameter deadline is missing NatSpec comment
Public function repay is missing NatSpec comment
Add missing Natspec comments.
Multiple spelling mistakes found.
/// @param skim True if the token has already been transfered
transferred
// Track assets we own. Used to allow skimming the excesss.
excess
// `calculateIntest`.
calculateInterest
/// @param skim True if the funds have been transfered to the contract
transferred
/// @param skimCollateral True if the collateral has already been transfered
transferred
/// @notice Take collateral from a pre-commited borrower and lend against it
committed
/// @param skimFunds True if the funds have been transfered to the contract
transferred
/// of the above inquality) fits in 128 bits, then the function is
inequality
Same spelling mistakes in
NFTPairWithOracle.sol
Fix spelling mistakes.
init functions can be frontrunThe init function used to initialize important contract state can be called by anyone.
The attacker can initialize the contract before the legitimate deployer, hoping that the victim continues to use the same contract. In the best case for the victim, they notice it and have to redeploy their contract costing gas.
NFTPair.sol#L175
NFTPairWithOracle.sol#L192
Use the constructor to initialize non-proxied contracts.
For initializing proxy (upgradable) contracts deploy contracts using a factory contract that immediately calls initialize after deployment or make sure to call it immediately after deployment and verify the transaction succeeded.
onERC721Received not implementedContracts do not implement the onERC721Received function, which is considered a best practice to transfer ERC721 tokens from contracts to contracts. The absence of this function could prevent contracts from receiving ERC721 tokens from other contracts via safeTransferFrom.
NFTPair.sol
NFTPairWithOracle.sol
Consider adding an implementation of the onERC721Received function.
#0 - cryptolyndon
2022-05-13T04:37:02Z
Seen, thanks.
Solidity version comment does seem to refer to a different code base.
The deployment mechanism calls init() in the same transaction. See #20 re safeTransferFrom.