Platform: Code4rena
Start Date: 11/08/2022
Pot Size: $40,000 USDC
Total HM: 8
Participants: 108
Period: 4 days
Judge: hickuphh3
Total Solo HM: 2
Id: 152
League: ETH
Rank: 6/108
Findings: 2
Award: $1,757.37
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Saw-mon_and_Natalie
Also found by: 0x1f8b, 0x52, 0xDjango, 0xNazgul, 0xSmartContract, 0xSolus, 0xackermann, 0xmatt, 0xsolstars, Aymen0909, Bnke0x0, Chom, Deivitto, DevABDee, Dravee, ElKu, IllIllI, JC, Kumpa, Lambda, LeoS, MiloTruck, PwnedNoMore, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, TomJ, Treasure-Seeker, Vexjon, Waze, Yiko, __141345__, apostle0x01, auditor0517, berndartmueller, bin2chen, bobirichman, brgltd, bulej93, c3phas, carlitox477, cccz, cryptphi, csanuragjain, d3e4, danb, delfin454000, durianSausage, erictee, fatherOfBlocks, gogo, iamwhitelights, joestakey, jonatascm, ladboy233, mics, oyc_109, rbserver, ret2basic, robee, rokinot, rvierdiiev, shenwilly, sikorico, simon135, thank_you, wagmi, yash90, zeesaw, zkhorse
45.0803 USDC - $45.08
Low-1: 1.NFTDropCollection.sol reveal() can't change the baseURI after reveal(),recommended to check baseURI ! = _baseURI to avoid setting it to the old
function reveal(string calldata _baseURI) external onlyAdmin validBaseURI(_baseURI) onlyWhileUnrevealed { // `postRevealBaseURIHash` == 0 indicates that the collection has been revealed. delete postRevealBaseURIHash; // Set the new base URI. ++++ require((keccak256(bytes(baseURI)) != keccak256(bytes(_baseURI))), "same"); baseURI = _baseURI; emit URIUpdated(_baseURI, ""); }
2.MarketFees.sol _distributeFunds() distribute the fund, relatively costly gas, but when the price is 0 is not necessary to distribute, it is recommended to return directly to save GAS
function _distributeFunds( address nftContract, uint256 tokenId, address payable seller, uint256 price, address payable buyReferrer ) internal returns ( uint256 totalFees, uint256 creatorRev, uint256 sellerRev ) { ++++ if (price == 0) { ++++ return (0,0,0); ++++ } ...
3.MarketFees.sol internalGetMutableRoyalties() determine the royaltyAmount>0 and then return, just like internalGetImmutableRoyalties().
function internalGetMutableRoyalties( address nftContract, uint256 tokenId, address payable creator ) external view returns (address payable[] memory recipients, uint256[] memory splitPerRecipientInBasisPoints) { .... ... if (nftContract.supportsERC165InterfaceUnchecked(type(IRoyaltyInfo).interfaceId)) { try IRoyaltyInfo(nftContract).royaltyInfo{ gas: READ_ONLY_GAS_LIMIT }(tokenId, BASIS_POINTS) returns ( address receiver, ---- uint256 /* royaltyAmount */ ++++ uint256 royaltyAmount ) { ++++if (royaltyAmount) { recipients = new address payable[](1); recipients[0] = payable(receiver); splitPerRecipientInBasisPoints = new uint256[](1); // The split amount is assumed to be 100% when only 1 recipient is returned return (recipients, splitPerRecipientInBasisPoints); +++}
#0 - HardlyDifficult
2022-08-18T18:56:16Z
1.NFTDropCollection.sol reveal()
This is an interesting suggestion -- will consider this.
2.MarketFees.sol _distributeFunds()
Good idea, will consider this.
3.MarketFees.sol internalGetMutableRoyalties()
Dupe of https://github.com/code-423n4/2022-08-foundation-findings/issues/147