Back to berndartmueller's contests

Nibbl contest - berndartmueller's results

NFT fractionalization protocol with guaranteed liquidity and price based buyout.

General Information

Platform: Code4rena

Start Date: 21/06/2022

Pot Size: $30,000 USDC

Total HM: 12

Participants: 96

Period: 3 days

Judge: HardlyDifficult

Total Solo HM: 5

Id: 140

League: ETH

Nibbl

Findings Distribution

Researcher Performance

Rank: 64/96

Findings: 1

Award: $37.14

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryNibbl

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0x29A, 0x52, 0xNazgul, 0xNineDec, 0xc0ffEE, 0xf15ers, 0xkatana, BowTiedWardens, Chom, ElKu, Funen, GalloDaSballo, JC, JMukesh, JohnSmith, Lambda, Limbooo, MadWookie, MiloTruck, Nethermind, Noah3o6, Nyamcil, Picodes, PwnedNoMore, Randyyy, RoiEvenHaim, SmartSek, StErMi, Tadashi, TerrierLover, TomJ, Tomio, Treasure-Seeker, UnusualTurtle, Varun_Verma, Wayne, Waze, _Adam, apostle0x01, asutorufos, berndartmueller, c3phas, catchup, cccz, cloudjunky, codexploder, cryptphi, defsec, delfin454000, dipp, ellahi, exd0tpy, fatherOfBlocks, hansfriese, hyh, joestakey, kebabsec, kenta, masterchief, minhquanym, naps62, oyc_109, pashov, peritoflores, reassor, rfa, robee, sach1r0, saian, sashik_eth, shenwilly, simon135, slywaters, sorrynotsorry, sseefried, unforgiven, xiaoming90, ych18, zuhaibmohd, zzzitron

Awards

37.1378 USDC - $37.14

Labels

bug
QA (Quality Assurance)
sponsor disputed

External Links

Link to GitHub issue

QA Report

Table of Contents

Low Risk

[L-01] chainid() may change in case of a hardfork

Description

The domainSeperator is not recalculated in the case of a hard fork. The variable domainSeperator in the contract EIP712Base is cached in the contract storage and will not change after being initialized. However, in the event of a hard fork, the domain would become invalid on one of the forked chains due to the change of chainid.

Findings

EIP712Base.sol#L16-L24

function INIT_EIP712(string memory name, string memory version) internal {
    domainSeperator = keccak256(
        abi.encode(
            EIP712_DOMAIN_TYPEHASH,
            keccak256(bytes(name)),
            keccak256(bytes(version)),
            getChainID(),
            address(this)
        )
    ); // @audit-info `domainSeperator` is cached forever
}

Consider using the elegant solution provided by OpenZeppelin:

https://github.com/fractional-company/contracts/blob/master/src/OpenZeppelin/drafts/EIP712.sol

[L-02] Unrecoverable ETH due to unnecessary receive() function

Description

The NibblVault contract does not expect direct ETH transfers. However, there is a receive() function to receive ETH. Anyone accidentally sending ETH to this contract will lose their funds.

Findings

NibblVault.sol#L585

receive() external payable {}

Remove the receive() function.

#0 - mundhrakeshav

2022-06-26T07:08:49Z

DIrect ETH transfers expected

#1 - HardlyDifficult

2022-07-03T15:27:46Z

Merging with https://github.com/code-423n4/2022-06-nibbl-findings/issues/131

#2 - HardlyDifficult

2022-07-03T15:30:37Z

Merging with https://github.com/code-423n4/2022-06-nibbl-findings/issues/132

#3 - HardlyDifficult

2022-07-04T15:17:32Z

Low risk best practices. Good report format.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter