Platform: Code4rena
Start Date: 11/08/2022
Pot Size: $40,000 USDC
Total HM: 8
Participants: 108
Period: 4 days
Judge: hickuphh3
Total Solo HM: 2
Id: 152
League: ETH
Rank: 24/108
Findings: 3
Award: $97.20
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: itsmeSTYJ
Also found by: 0x1f8b, 0x52, 0xDjango, Ch_301, Chom, KIntern_NA, PwnedNoMore, Treasure-Seeker, auditor0517, byndooa, cccz, csanuragjain, ladboy233, nine9, shenwilly, thank_you, yixxas, zkhorse
42.8343 USDC - $42.83
In the mintFromFixedPriceSale function of the NFTDropMarketFixedPriceSale contract, the number of NFTs that can be minted per account is limited by requiring IERC721(nftContract).balanceOf(msg.sender) + count <= saleConfig.limitPerAccount, but the user can bypass this limit by transferring NFTs to other accounts to reduce balanceOf(msg.sender).
None
Consider using a status variable to keep track of the number of nft per account mint, and use that variable instead of balanceOf(msg.sender) to limit the number of nft per account mint
#0 - HardlyDifficult
2022-08-17T20:58:47Z
🌟 Selected for report: Saw-mon_and_Natalie
Also found by: 0x1f8b, 0x52, 0xDjango, 0xNazgul, 0xSmartContract, 0xSolus, 0xackermann, 0xmatt, 0xsolstars, Aymen0909, Bnke0x0, Chom, Deivitto, DevABDee, Dravee, ElKu, IllIllI, JC, Kumpa, Lambda, LeoS, MiloTruck, PwnedNoMore, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, TomJ, Treasure-Seeker, Vexjon, Waze, Yiko, __141345__, apostle0x01, auditor0517, berndartmueller, bin2chen, bobirichman, brgltd, bulej93, c3phas, carlitox477, cccz, cryptphi, csanuragjain, d3e4, danb, delfin454000, durianSausage, erictee, fatherOfBlocks, gogo, iamwhitelights, joestakey, jonatascm, ladboy233, mics, oyc_109, rbserver, ret2basic, robee, rokinot, rvierdiiev, shenwilly, sikorico, simon135, thank_you, wagmi, yash90, zeesaw, zkhorse
41.1993 USDC - $41.20
In NFTCollectionFactory contract, the initialize function was missing access controls, allowing any user to initialize the contract. By front-running the contract deployers to initialize the contract, the incorrect parameters may be supplied, leaving the contract needing to be redeployed.
None
Adding the onlyAdmin modifier to initialize function.
In the initialize function of the NFTCollectionFactory contract, only versionNFTCollection will be initialized, but versionNFTDropCollection will not be initialized, so that the creator cannot control the initial version of the NFTDropCollections implementation contract
None
Consider allowing creators to initialize versionNFTDropCollection in the initialize function
_mint() is discouraged in favor of _safeMint() which ensures that the recipient is either an EOA or implements IERC721Receiver.
https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/blob/master/contracts/token/ERC721/ERC721Upgradeable.sol#L275 https://github.com/code-423n4/2022-08-foundation/blob/792e00df429b0df9ee5d909a0a5a6e72bd07cf79/contracts/NFTCollection.sol#L271-L272 https://github.com/code-423n4/2022-08-foundation/blob/792e00df429b0df9ee5d909a0a5a6e72bd07cf79/contracts/NFTDropCollection.sol#L182-L183
None
Use _safeMint instead of _mint
#0 - HardlyDifficult
2022-08-18T19:52:57Z
[Low-01] front-runnable initialize
Invalid. See our comment here for context
[Low-02] NFTCollectionFactory: initialize function did not initialize versionNFTDropCollection
This was intentional. versionNFTCollection is picking up from where our last factory had left off, while the drop collection is new so starting with the default value of 0 is correct.
Use safeMint
Agree will fix - for context see our response here.