Back to cRat1st0s's contests

Nibbl contest - cRat1st0s's results

NFT fractionalization protocol with guaranteed liquidity and price based buyout.

General Information

Platform: Code4rena

Start Date: 21/06/2022

Pot Size: $30,000 USDC

Total HM: 12

Participants: 96

Period: 3 days

Judge: HardlyDifficult

Total Solo HM: 5

Id: 140

League: ETH

Nibbl

Findings Distribution

Researcher Performance

Rank: 92/96

Findings: 1

Award: $17.23

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryNibbl

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0v3rf10w, 0x1f8b, 0x29A, 0xKitsune, 0xNazgul, 0xf15ers, 0xkatana, 8olidity, ACai, BowTiedWardens, Chandr, Chom, ElKu, Fitraldys, Funen, IgnacioB, JC, Lambda, Limbooo, MiloTruck, Noah3o6, Nyamcil, Picodes, Randyyy, SmartSek, StErMi, TerrierLover, TomJ, Tomio, UnusualTurtle, Waze, _Adam, ajtra, c3phas, cRat1st0s, catchup, codexploder, cryptphi, defsec, delfin454000, ellahi, exd0tpy, fatherOfBlocks, hansfriese, joestakey, kebabsec, kenta, m_Rassska, minhquanym, oyc_109, pashov, reassor, rfa, robee, sach1r0, saian, sashik_eth, simon135, slywaters, ych18, ynnad, zuhaibmohd

Awards

17.2267 USDC - $17.23

Labels

bug
G (Gas Optimization)

External Links

Link to GitHub issue

Project

Nibbl contest

Contracts in Scope

FileLoCExternal CallsDescription
NibblVaultFactory.sol700Vault Factory that deploys vault and handles governance and access control.
NibblVault.sol2900Vault which holds NFT and has logic for trading and buyout
Basket.sol800Basket that can be used to fractionalize multiple NFTs.
Twav.sol250Implements time-weighted valuation to be consumed in NibblVault for buyouts
ProxyVault.sol170Proxy contract that gets deployed with implementation as NibblVault
ProxyBasket.sol170Proxy contract that gets deployed with implementation as Basket
AccessControlMechanism.sol190Inherited in NibblVaultFactory for access control on certain actions
EIP712Base.sol210To implement permit functionality with EIP712 signing.

Report files

FileSHA-1 HASH
NibblVaultFactory.sol300fad385735fe6bfc11f614ec56cfed56f8441a
NibblVault.solc0fc67ecb42b4019b3f49690d5faffc5091c53b9
Basket.soleac3ba192488131f2a126660b9502c1b1754b231

Low risk, non-critical, and gas optimization findings

  1. Use != 0 instead of > 0. The variable is uint256, so it will not be below 0 so it can just check != 0. https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/NibblVault.sol#L227 https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/NibblVault.sol#L243

  2. Splitting require() statements that use && saves gas https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/NibblVaultFactory.sol#L107 https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/NibblVaultFactory.sol#L131 https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/NibblVaultFactory.sol#L149 https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/NibblVaultFactory.sol#L166

  3. <ARRAY>.length should not be looked up in every loop https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/Basket.sol#L43 https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/Basket.sol#L70 https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/Basket.sol#L93 https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/NibblVault.sol#L506 https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/NibblVault.sol#L525 https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/NibblVault.sol#L547

  4. X = X + Y is cheaper than X += Y and X = X - Y is cheaper than X -= Y https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/NibblVault.sol#L219 https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/NibblVault.sol#L225 https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/NibblVault.sol#L242 https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/NibblVault.sol#L320 https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/NibblVault.sol#L322 https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/NibblVault.sol#L380 https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/NibblVault.sol#L383 https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/NibblVault.sol#L428 https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/NibblVault.sol#L429 https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/NibblVault.sol#L457

  5. Use of block.timestamp in NibblVault.sol and NibblVaultFactory.sol. Weak PRNG due to a modulo on block.timestamp. It can be influenced by miners to some extent so they should be avoided.

#0 - mundhrakeshav

2022-06-26T09:06:09Z

Duplicate https://github.com/code-423n4/2022-06-nibbl-findings/issues/2, https://github.com/code-423n4/2022-06-nibbl-findings/issues/3, https://github.com/code-423n4/2022-06-nibbl-findings/issues/6, https://github.com/code-423n4/2022-06-nibbl-findings/issues/7, https://github.com/code-423n4/2022-06-nibbl-findings/issues/8, https://github.com/code-423n4/2022-06-nibbl-findings/issues/82

#1 - mundhrakeshav

2022-06-26T09:06:58Z

#16

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter