Platform: Code4rena
Start Date: 21/06/2022
Pot Size: $30,000 USDC
Total HM: 12
Participants: 96
Period: 3 days
Judge: HardlyDifficult
Total Solo HM: 5
Id: 140
League: ETH
Rank: 23/96
Findings: 2
Award: $65.76
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x29A, 0x52, 0xNazgul, 0xNineDec, 0xc0ffEE, 0xf15ers, 0xkatana, BowTiedWardens, Chom, ElKu, Funen, GalloDaSballo, JC, JMukesh, JohnSmith, Lambda, Limbooo, MadWookie, MiloTruck, Nethermind, Noah3o6, Nyamcil, Picodes, PwnedNoMore, Randyyy, RoiEvenHaim, SmartSek, StErMi, Tadashi, TerrierLover, TomJ, Tomio, Treasure-Seeker, UnusualTurtle, Varun_Verma, Wayne, Waze, _Adam, apostle0x01, asutorufos, berndartmueller, c3phas, catchup, cccz, cloudjunky, codexploder, cryptphi, defsec, delfin454000, dipp, ellahi, exd0tpy, fatherOfBlocks, hansfriese, hyh, joestakey, kebabsec, kenta, masterchief, minhquanym, naps62, oyc_109, pashov, peritoflores, reassor, rfa, robee, sach1r0, saian, sashik_eth, shenwilly, simon135, slywaters, sorrynotsorry, sseefried, unforgiven, xiaoming90, ych18, zuhaibmohd, zzzitron
48.545 USDC - $48.54
Contract: https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/Basket.sol#L41 https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/NibblVault.sol#L504
Issue: In withdrawMultipleERC721 function, It is not checked whether _tokens.length == _tokenId.length. This means loop can run incorrect number of times
Note: This also need to be fixed for withdrawMultipleERC1155 function
Recommendation: Add below :
require(_tokens.length == _tokenId.length, "Incorrect length"); // for Basket.sol#L41 require(_assetAddresses.length == _assetIDs.length, "Incorrect length"); //for NibblVault.sol#L504
#0 - HardlyDifficult
2022-07-02T22:24:09Z
#1 - HardlyDifficult
2022-07-02T22:25:49Z
#2 - HardlyDifficult
2022-07-03T21:45:38Z
#3 - HardlyDifficult
2022-07-03T21:47:33Z
#4 - HardlyDifficult
2022-07-03T21:51:08Z
#5 - HardlyDifficult
2022-07-03T21:55:03Z
#6 - HardlyDifficult
2022-07-04T15:40:06Z
7 low risk, all valid considerations.
🌟 Selected for report: IllIllI
Also found by: 0v3rf10w, 0x1f8b, 0x29A, 0xKitsune, 0xNazgul, 0xf15ers, 0xkatana, 8olidity, ACai, BowTiedWardens, Chandr, Chom, ElKu, Fitraldys, Funen, IgnacioB, JC, Lambda, Limbooo, MiloTruck, Noah3o6, Nyamcil, Picodes, Randyyy, SmartSek, StErMi, TerrierLover, TomJ, Tomio, UnusualTurtle, Waze, _Adam, ajtra, c3phas, cRat1st0s, catchup, codexploder, cryptphi, defsec, delfin454000, ellahi, exd0tpy, fatherOfBlocks, hansfriese, joestakey, kebabsec, kenta, m_Rassska, minhquanym, oyc_109, pashov, reassor, rfa, robee, sach1r0, saian, sashik_eth, simon135, slywaters, ych18, ynnad, zuhaibmohd
17.2238 USDC - $17.22
Contract https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/Basket.sol#L43
Recommendation: Use ++i instead of i++ for gas savings. Do this for withdrawMultipleERC721, withdrawMultipleERC1155 and withdrawMultipleERC20 function
#0 - mundhrakeshav
2022-06-25T14:07:17Z
Duplicate of #15