OpenSea Seaport contest - hack3r-0m's results

A marketplace contract for safely and efficiently creating and fulfilling orders for ERC721 and ERC1155 items.

General Information

Platform: Code4rena

Start Date: 20/05/2022

Pot Size: $1,000,000 USDC

Total HM: 4

Participants: 59

Period: 14 days

Judge: leastwood

Id: 128

League: ETH

OpenSea

Findings Distribution

Researcher Performance

Rank: 19/59

Findings: 1

Award: $2,474.50

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository OpenSea

Findings Information

🌟 Selected for report: Spearbit

Also found by: 0xsanson, Chom, IllIllI, OriDabush, Saw-mon_and_Natalie, broccoli, cccz, cmichel, csanuragjain, foobar, hack3r-0m, hickuphh3, hubble, hyh, ilan, kebabsec, mayo, oyc_109, peritoflores, rfa, scaraven, sces60107, shung, sorrynotsorry, tintin, twojoy, zkhorse, zzzitron

Awards

2474.5018 USDC - $2,474.50

Labels

bug

QA (Quality Assurance)

External Links

Link to GitHub issue

LOW

vulnerable solidity compiler version

Seaport uses 0.8.13 while there are known bugs discovered in that version affecting arrays of dynamic types & Data Location, so compiler version should be updated to atleast 0.8.14 on both reference and optimized.

Implementation does not match comment

Location: https://github.com/code-423n4/2022-05-opensea-seaport/blob/main/contracts/lib/Executor.sol#L541-L544

Comment is wrong stating "Ensure result was extracted and matches EIP-1271 magic value." while it should match value ConduitInterface.execute.selector

NON-CRITICAL

_performERC20Transfer does zero code size check after executing the call, while _performERC721Transfer and _performERC1155Transfer does at vert begining of execution, so it should be normalized depending upon business logic.

GAS OPTIMIZATIONS

https://github.com/code-423n4/2022-05-opensea-seaport/blob/main/contracts/lib/BasicOrderFulfiller.sol#L86 , instead of div bit shift >> 2 can be used to reduce runtime gas by 1 unit
Make constructors payable to reduce addition checks and hence removing some opcodes

#0 - HardlyDifficult
2022-06-20T18:27:30Z

Merging with https://github.com/code-423n4/2022-05-opensea-seaport-findings/issues/206

#1 - HardlyDifficult
2022-06-26T17:46:29Z

vulnerable solidity compiler version

Seaport 1.1 was deployed with 0.8.14

Implementation does not match comment

The comment could be fixed / improved here.

_performERC20Transfer does zero code size check after executing the call

I believe the differences here were intentional. When data is returned (as is typically the case with ERC20) then checking the code size is redundant.

div bit shift >> 2

This could be included for a very small savings.

Make constructors payable

This is poor style IMO. And optimizing the constructor doesn't help end-users so this is not an important path to optimize.

EIP1271 signature will fail when length is 65

See comments in https://github.com/code-423n4/2022-05-opensea-seaport-findings/issues/206

OpenSea Seaport contest - hack3r-0m's results

A marketplace contract for safely and efficiently creating and fulfilling orders for ERC721 and ERC1155 items.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-09] QA Report - $2,474.50

Findings Information

Awards

Labels

External Links

LOW

vulnerable solidity compiler version

Implementation does not match comment

NON-CRITICAL

GAS OPTIMIZATIONS

#0 - HardlyDifficult2022-06-20T18:27:30Z

#1 - HardlyDifficult2022-06-26T17:46:29Z

#0 - HardlyDifficult
2022-06-20T18:27:30Z

#1 - HardlyDifficult
2022-06-26T17:46:29Z