ParaSpace contest - i_got_hacked's results

The First Ever Cross-Margin NFT Financialization Protocol.

General Information

Platform: Code4rena

Start Date: 28/11/2022

Pot Size: $192,500 USDC

Total HM: 33

Participants: 106

Period: 11 days

Judge: LSDan

Total Solo HM: 15

Id: 186

League: ETH

ParaSpace

Findings Distribution

Researcher Performance

Rank: 81/106

Findings: 1

Award: $103.92

QA:

grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository ParaSpace

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x4non, 0x52, 0xAgro, 0xNazgul, 0xSmartContract, 0xackermann, 9svR6w, Awesome, Aymen0909, B2, BRONZEDISC, Bnke0x0, Deekshith99, Deivitto, Diana, Dravee, HE1M, Jeiwan, Kaiziron, KingNFT, Lambda, Mukund, PaludoX0, RaymondFam, Rolezn, Sathish9098, Secureverse, SmartSek, __141345__, ahmedov, ayeslick, brgltd, cccz, ch0bu, chrisdior4, cryptonue, cryptostellar5, csanuragjain, datapunk, delfin454000, erictee, gz627, gzeon, helios, i_got_hacked, ignacio, imare, jadezti, jayphbee, joestakey, kankodu, ksk2345, ladboy233, martin, nadin, nicobevi, oyc_109, pashov, pavankv, pedr02b2, pzeus, rbserver, ronnyx2017, rvierdiiev, shark, unforgiven, xiaoming90, yjrwkk

Awards

103.9175 USDC - $103.92

Labels

bug

grade-b

QA (Quality Assurance)

Q-36

External Links

Link to GitHub issue

Missing `zero address` check in `constructor`

`TYPOS`

`TODO` comments

Use `scientific notation` (e.g. `1e18`) rather than `exponentiation` (e.g. `10**18`)

https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/misc/UniswapV3OracleWrapper.sol#L245

`public` functions not called by the contract should be declared `external` instead

Don’t store `block.chainId`

https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/protocol/libraries/logic/ValidationLogic.sol#L1140

Use of `block.timestamp`

Block timestamps have historically been used for a variety of applications, such as entropy for random numbers (see the Entropy Illusion for further details), locking funds for periods of time, and various state-changing conditional statements that are time-dependent. Miners have the ability to adjust timestamps slightly, which can prove to be dangerous if block timestamps are used incorrectly in smart contracts.

Upgradeable contract is missing a `__gap[50]` storage variable to allow for new storage variables in later versions

`INITIALIZE` functions can be front-run

`NatSpec` is incomplete

https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/protocol/libraries/logic/MarketplaceLogic.sol#L105-L114 /// @audit Missing: @return
https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/protocol/libraries/logic/PoolLogic.sol#L155-L165 /// @audit Missing: @param
https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/protocol/libraries/logic/GenericLogic.sol#L356-L362 /// @audit Missing: @param
https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/protocol/libraries/logic/GenericLogic.sol#L504-L512 /// @audit Missing: @param
https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/misc/UniswapV3OracleWrapper.sol#L183-L186 /// @audit Missing: param
https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/misc/UniswapV3OracleWrapper.sol#L200-L203 /// @audit Missing: @param
https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/misc/NFTFloorOracle.sol#L174-L175 /// @audit Missing: @param
https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/misc/NFTFloorOracle.sol#L182-L183 /// @audit Missing: @param
https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/protocol/tokenization/libraries/ApeStakingLogic.sol#L196-L204 /// @audit Missing: @return
https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/protocol/tokenization/libraries/ApeStakingLogic.sol#L225-L231 /// @audit Missing: @return
https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/protocol/tokenization/NTokenApeStaking.sol#L75-L78 /// @audit Missing: @param
https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/protocol/tokenization/base/MintableIncentivizedERC721.sol#L162-L165 /// @audit Missing: @param& return
https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/protocol/tokenization/base/MintableIncentivizedERC721.sol#L162-L165 /// @audit Missing: @param & return

#0 - c4-judge
2023-01-25T16:18:04Z

dmvt marked the issue as grade-b

ParaSpace contest - i_got_hacked's results

The First Ever Cross-Margin NFT Financialization Protocol.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-36] QA Report - $103.92

Findings Information

Awards

Labels

External Links

Missing zero address check in constructor

TYPOS

TODO comments

Use scientific notation (e.g. 1e18) rather than exponentiation (e.g. 10**18)

public functions not called by the contract should be declared external instead

Don’t store block.chainId

Use of block.timestamp

Upgradeable contract is missing a __gap[50] storage variable to allow for new storage variables in later versions

INITIALIZE functions can be front-run

NatSpec is incomplete

#0 - c4-judge2023-01-25T16:18:04Z

Missing `zero address` check in `constructor`

`TYPOS`

`TODO` comments

Use `scientific notation` (e.g. `1e18`) rather than `exponentiation` (e.g. `10**18`)

`public` functions not called by the contract should be declared `external` instead

Don’t store `block.chainId`

Use of `block.timestamp`

Upgradeable contract is missing a `__gap[50]` storage variable to allow for new storage variables in later versions

`INITIALIZE` functions can be front-run

`NatSpec` is incomplete

#0 - c4-judge
2023-01-25T16:18:04Z