Back to hansfriese's contests

Nibbl contest - hansfriese's results

NFT fractionalization protocol with guaranteed liquidity and price based buyout.

General Information

Platform: Code4rena

Start Date: 21/06/2022

Pot Size: $30,000 USDC

Total HM: 12

Participants: 96

Period: 3 days

Judge: HardlyDifficult

Total Solo HM: 5

Id: 140

League: ETH

Nibbl

Findings Distribution

Researcher Performance

Rank: 2/96

Findings: 4

Award: $3,019.73

🌟 Selected for report: 1

πŸš€ Solo Findings: 1

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryNibbl

Findings Information

🌟 Selected for report: WatchPug

Also found by: hansfriese

Labels

bug
duplicate
2 (Med Risk)
sponsor acknowledged

Awards

631.623 USDC - $631.62

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-06-nibbl/blob/main/contracts/Twav/Twav.sol#L40

Vulnerability details

Impact

Twav._getTwav() might revert when it should work properly. In this case, the main functions like NibblVault.buy() and NibblVault.sell() will revert also.

Proof of Concept

According to the logic, Twav.lastBlockTimeStamp saves a modularized timestamp so current timestamp might be smaller than the previous one. So (_twavObservationCurrent.timestamp - _twavObservationPrev.timestamp) might meet the underflow error.

Tools Used

Solidity Visual Developer of VSCode

We can use unchecked calculation for the above calculation. We can modify L40 like below.

uint32 _timeElapsed; 
unchecked {
    _timeElapsed = _twavObservationCurrent.timestamp - _twavObservationPrev.timestamp;
}
_twav = (_twavObservationCurrent.cumulativeValuation - _twavObservationPrev.cumulativeValuation) / _timeElapsed;

#0 - HardlyDifficult

2022-07-03T23:12:34Z

Dupe https://github.com/code-423n4/2022-06-nibbl-findings/issues/178

Findings Information

🌟 Selected for report: hansfriese

Labels

bug
2 (Med Risk)
sponsor confirmed

Awards

2339.3444 USDC - $2,339.34

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-06-nibbl/blob/8c3dbd6adf350f35c58b31723d42117765644110/contracts/Twav/Twav.sol#L36

Vulnerability details

Impact

The "if" condition of Twav._getTwav() is missing some edge cases. In this case, this function will return 0 which is different from the correct value and it will affect the main functions like NibblVault.buy() and NibblVault.sell().

Proof of Concept

I think this condition is to confirm at least 4 values were saved for twav calculation. Btw this timestamp would be zero even though there are more than 4 values properly as it's modularized by 2**32. In this case, the if condition will be false and this function will return 0.

Tools Used

Solidity Visual Developer of VSCode

I see "cumulativeValuation" is increasing all the time and recommend replacing "timestamp" with "cumulativeValuation".

if (twavObservations[TWAV_BLOCK_NUMBERS - 1].cumulativeValuation != 0) {

#0 - mundhrakeshav

2022-07-01T07:59:21Z

https://github.com/NibblNFT/smart_contracts/pull/47

#1 - HardlyDifficult

2022-07-03T23:14:44Z

Interesting catch. This is related to #178 but presents a distinct issue.

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x1f8b, 0x29A, 0x52, 0xNazgul, 0xNineDec, 0xc0ffEE, 0xf15ers, 0xkatana, BowTiedWardens, Chom, ElKu, Funen, GalloDaSballo, JC, JMukesh, JohnSmith, Lambda, Limbooo, MadWookie, MiloTruck, Nethermind, Noah3o6, Nyamcil, Picodes, PwnedNoMore, Randyyy, RoiEvenHaim, SmartSek, StErMi, Tadashi, TerrierLover, TomJ, Tomio, Treasure-Seeker, UnusualTurtle, Varun_Verma, Wayne, Waze, _Adam, apostle0x01, asutorufos, berndartmueller, c3phas, catchup, cccz, cloudjunky, codexploder, cryptphi, defsec, delfin454000, dipp, ellahi, exd0tpy, fatherOfBlocks, hansfriese, hyh, joestakey, kebabsec, kenta, masterchief, minhquanym, naps62, oyc_109, pashov, peritoflores, reassor, rfa, robee, sach1r0, saian, sashik_eth, shenwilly, simon135, slywaters, sorrynotsorry, sseefried, unforgiven, xiaoming90, ych18, zuhaibmohd, zzzitron

Awards

28.2782 USDC - $28.28

Labels

bug
QA (Quality Assurance)
sponsor acknowledged

External Links

Link to GitHub issue

Summary

I've found 3 row-risk issues and some non-critical issues.

Low-Risk Issues

  1. Wrong comments
  1. Use safeTransfer(), safeTransferFrom() consistently instead of transfer(), transferFrom(). This is the same previous issue as a reference. L-01
  1. Missing events for admin functions that change important parameters

Non-critical Issues

  1. require()/revert() statements should have descriptive reason strings
  1. Natspec incomplete
  1. Needless ()

#0 - HardlyDifficult

2022-07-04T16:06:18Z

Merging with https://github.com/code-423n4/2022-06-nibbl-findings/issues/110

Relevant improvements suggested, mostly NC.

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0v3rf10w, 0x1f8b, 0x29A, 0xKitsune, 0xNazgul, 0xf15ers, 0xkatana, 8olidity, ACai, BowTiedWardens, Chandr, Chom, ElKu, Fitraldys, Funen, IgnacioB, JC, Lambda, Limbooo, MiloTruck, Noah3o6, Nyamcil, Picodes, Randyyy, SmartSek, StErMi, TerrierLover, TomJ, Tomio, UnusualTurtle, Waze, _Adam, ajtra, c3phas, cRat1st0s, catchup, codexploder, cryptphi, defsec, delfin454000, ellahi, exd0tpy, fatherOfBlocks, hansfriese, joestakey, kebabsec, kenta, m_Rassska, minhquanym, oyc_109, pashov, reassor, rfa, robee, sach1r0, saian, sashik_eth, simon135, slywaters, ych18, ynnad, zuhaibmohd

Awards

20.4863 USDC - $20.49

Labels

bug
G (Gas Optimization)
sponsor confirmed

External Links

Link to GitHub issue
  1. Use != 0 instead of > 0 for uint variables
  1. No need to initialize variables with default values
  1. Use ++i instead of i++, i+=1, also unchecked increments in for-loops will save gas cost
  1. An array’s length should be cached to save gas in for-loops
  1. Non-strict inequalities are cheaper than strict ones
  1. Usage of unchecked can reduce the gas cost
  1. require()/revert() strings longer than 32 bytes cost extra gas
  1. Check zero amount before transfer
  1. Check "_feeAdmin != 0" instead of "_adminFeeAmt > 0". The real transfer amount is _feeAdmin and this value might be zero even though _adminFeeAmt > 0 according to fee calculation
  1. Needless calculation From the calculation, we can see "(_index + 1) % TWAV_BLOCK_NUMBERS" is same as "twavObservationsIndex" because "_index" is the previous index of "twavObservationsIndex".
AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter