Platform: Code4rena
Start Date: 20/09/2022
Pot Size: $100,000 USDC
Total HM: 4
Participants: 109
Period: 7 days
Judge: GalloDaSballo
Id: 163
League: ETH
Rank: 88/109
Findings: 1
Award: $55.20
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x4non, 0x52, 0x5rings, 0xNazgul, 0xRobocop, 0xSmartContract, 0xdeadbeef, 0xsanson, 8olidity, Amithuddar, Aymen0909, B2, B353N, CertoraInc, Ch_301, Chom, CodingNameKiki, Deivitto, ElKu, Funen, JC, JohnnyTime, Kresh, Lambda, Noah3o6, RaymondFam, ReyAdmirado, RockingMiles, Rolezn, Sm4rty, SuldaanBeegsi, Tadashi, TomJ, Tomio, V_B, Waze, __141345__, a12jmx, ak1, arcoun, asutorufos, aviggiano, berndartmueller, bharg4v, bin2chen, brgltd, bulej93, c3phas, catchup, cccz, ch0bu, cryptonue, cryptphi, csanuragjain, delfin454000, devtooligan, djxploit, durianSausage, eighty, erictee, exd0tpy, fatherOfBlocks, giovannidisiena, hansfriese, ignacio, joestakey, ladboy233, lukris02, m9800, malinariy, martin, minhtrng, obront, oyc_109, pedr02b2, pedroais, pfapostol, philogy, prasantgupta52, rbserver, ronnyx2017, rotcivegaf, rvierdiiev, sach1r0, shung, simon135, throttle, tnevler, tonisives, wagmi, yixxas, zkhorse, zzykxx, zzzitron
55.1985 USDC - $55.20
While floating pragmas make sense for libraries to allow them to be included with multiple different versions of applications, it may be a security risk for application implementations.
A known vulnerable compiler version may accidentally be selected or security tools might fall-back to an older compiler version ending up checking a different EVM compilation that is ultimately deployed on the blockchain.
It is recommended to pin to a concrete compiler version.
src/ArtGobblers.sol:L2 pragma solidity >=0.8.0; src/Pages.sol:L2 pragma solidity >=0.8.0; src/Goo.sol:L2 pragma solidity >=0.8.0; src/utils/GobblerReserve.sol:L2 pragma solidity >=0.8.0; src/utils/token/GobblersERC721.sol:L2 pragma solidity >=0.8.0; src/utils/token/GobblersERC1155B.sol:L2 pragma solidity >=0.8.0; src/utils/token/PagesERC721.sol:L2 pragma solidity >=0.8.0; src/utils/rand/ChainlinkV1RandProvider.sol:L2 pragma solidity >=0.8.0; src/utils/rand/RandProvider.sol:L2 pragma solidity >=0.8.0;
_safemint() should be used rather than _mint() wherever possible_mint() is discouraged in favor of _safeMint() which ensures that the recipient is either an EOA or implements IERC721Receiver. Both OpenZeppelin and solmate have versions of this function
src/ArtGobblers.sol:L356 _mint(msg.sender, gobblerId); src/ArtGobblers.sol:L389 _mint(msg.sender, gobblerId); src/ArtGobblers.sol:L469 _mint(msg.sender, gobblerId); src/Pages.sol:L211 _mint(msg.sender, pageId); src/Pages.sol:L251 for (uint256 i = 0; i < numPages; i++) _mint(community, ++lastMintedPageId); src/Goo.sol:L102 _mint(to, amount); src/utils/token/GobblersERC721.sol:L160 function _mint(address to, uint256 id) internal { src/utils/token/GobblersERC1155B.sol:L135 function _mint( src/utils/token/PagesERC721.sol:L173 function _mint(address to, uint256 id) internal {
Zero-address checks are a best practice for input validation of critical address parameters. Accidental use of zero-addresses may result in exceptions, burn fees/tokens, or force redeployment of contracts.
https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/ArtGobblers.sol#L316-L317 https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/Goo.sol#L83-L84 https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/Pages.sol#l181
#0 - GalloDaSballo
2022-10-06T19:15:28Z
NC
L
#1 - GalloDaSballo
2022-10-14T00:29:14Z
1L 1NC clearly automated, will subtract 1 point