Back to shark's contests

ParaSpace contest - shark's results

The First Ever Cross-Margin NFT Financialization Protocol.

General Information

Platform: Code4rena

Start Date: 28/11/2022

Pot Size: $192,500 USDC

Total HM: 33

Participants: 106

Period: 11 days

Judge: LSDan

Total Solo HM: 15

Id: 186

League: ETH

ParaSpace

Findings Distribution

Researcher Performance

Rank: 58/106

Findings: 2

Award: $126.39

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryParaSpace

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0xNazgul, Atarpara, Awesome, Aymen0909, BClabs, Kong, ali_shehab, bullseye, chaduke, csanuragjain, datapunk, fatherOfBlocks, hansfriese, kaliberpoziomka8552, nicobevi, pashov, pzeus, shark, unforgiven, web3er, xiaoming90

Awards

22.467 USDC - $22.47

Labels

bug
3 (High Risk)
partial-50
upgraded by judge
edited-by-warden
duplicate-402

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-11-paraspace/blob/main/paraspace-core/contracts/misc/NFTFloorOracle.sol#L167-L172

Vulnerability details

Impact

In NFTFloorOracle.sol, the function removeFeeder() is intended to be called only by the owner. However, anyone could call removeFeeder() to remove a feeder. As such, an attacker could continually call removeFeeder() to remove all feeders. This could cause chaos to any contracts that depend on these feeders.

Proof of Concept

File: NFTFloorOracle.sol Line 167-172

As seen below, there is nothing checking if the caller is the owner

165    /// @notice Allows owner to remove feeder.
166    /// @param _feeder feeder to remove
167    function removeFeeder(address _feeder)
168        external
169        onlyWhenFeederExisted(_feeder)
170    {
171        _removeFeeder(_feeder);
172    }

Tools Used

No tools used.

Add the onlyRole(DEFAULT_ADMIN_ROLE) modifier.

For example:

    function removeFeeder(address _feeder)
        external
        onlyWhenFeederExisted(_feeder)
        onlyRole(DEFAULT_ADMIN_ROLE)
    {
        _removeFeeder(_feeder);
    }

#0 - c4-judge

2022-12-20T16:58:41Z

dmvt marked the issue as duplicate of #31

#1 - c4-judge

2023-01-09T14:10:46Z

dmvt changed the severity to 3 (High Risk)

#2 - c4-judge

2023-01-09T14:25:07Z

dmvt marked the issue as partial-50

Findings Information

🌟 Selected for report: IllIllI

Also found by: 0x4non, 0x52, 0xAgro, 0xNazgul, 0xSmartContract, 0xackermann, 9svR6w, Awesome, Aymen0909, B2, BRONZEDISC, Bnke0x0, Deekshith99, Deivitto, Diana, Dravee, HE1M, Jeiwan, Kaiziron, KingNFT, Lambda, Mukund, PaludoX0, RaymondFam, Rolezn, Sathish9098, Secureverse, SmartSek, __141345__, ahmedov, ayeslick, brgltd, cccz, ch0bu, chrisdior4, cryptonue, cryptostellar5, csanuragjain, datapunk, delfin454000, erictee, gz627, gzeon, helios, i_got_hacked, ignacio, imare, jadezti, jayphbee, joestakey, kankodu, ksk2345, ladboy233, martin, nadin, nicobevi, oyc_109, pashov, pavankv, pedr02b2, pzeus, rbserver, ronnyx2017, rvierdiiev, shark, unforgiven, xiaoming90, yjrwkk

Awards

103.9175 USDC - $103.92

Labels

bug
grade-b
QA (Quality Assurance)
edited-by-warden
Q-25

External Links

Link to GitHub issue

1. Redundant Conditional Check

File: NFTFloorOracle.sol Line 331

        if (feederIndex >= 0 && feeders[feederIndex] == _feeder) {

Because feederIndex is type uint8, it can never go below zero. As such, the check feederIndex >= 0 is redundant

Instead, you can refactor to the following:

        if (feeders[feederIndex] == _feeder) {

2. Typo mistakes

File: AuctionLogic.sol Line 34

tsatr -> start

     * @notice Function to tsatr auction on an ERC721 of a position if its ERC721 Health Factor drops below 1.

File: ReserveLogic.sol Line 163, Line 261

Duplicated "reserve reserve"

     * @param reserve The reserve reserve to be updated

3. Use delete to clear variables instead of zero assignment

A better way to indicate that you are clearing a variable is to use the delete keyword.

For example:

File: MarketplaceLogic.sol Line 409 - 410

            price = 0;
            downpayment = 0;

The above could be refactored to:

            delete price;
            delete downpayment;

4. Events are missing old value

Consider having events that update state variables emit both the old and new values.

Here are some instances of this issue:

File ParaSpaceOracle.sol Line 62

File: ParaSpaceOracle.sol Line 111

5. Missing Zero address/value checks

Zero address/value checks should be implemented for security. However, such checks are missing in many contracts.

Here are some instances:

File: ParaSpaceOracle.sol Line 49-63

File: UniswapV3OracleWrapper.sol Line 24-26

File: DefaultReserveAuctionStrategy.sol Line 50-64

6. Avoid the use of _setupRole() as it is deprecated

As said in the OpenZeppelin's docs, "This function is deprecated in favor of _grantRole."

There are 3 instances of this issue:

File: NFTFloorOracle.sol (Line 104, Line 106, Line 314)

104:         _setupRole(DEFAULT_ADMIN_ROLE, _admin);
...
106:        _setupRole(UPDATER_ROLE, _admin);
...
314:        _setupRole(UPDATER_ROLE, _feeder);

Consider replacing _setupRole() with _grantRole():

104:         _grantRole(DEFAULT_ADMIN_ROLE, _admin);
...
106:        _grantRole(UPDATER_ROLE, _admin);
...
314:        _grantRole(UPDATER_ROLE, _feeder);

7. Unresolved TODOs

Consider resolving open TODOs before deployment.

Here are some examples of this issue:

File: UniswapV3OracleWrapper.sol Line 238

File: MarketplaceLogic.sol Line 442

File: LooksRareAdapter.sol Line 59

8. Limit line length

To comply with the Solidity Style Guide, lines should be limited to 120 characters max.

For example, the instance below is 243 characters past the recommended limit

File: LiquidationLogic.sol Line 603

9. Unused imports

Contracts that are imported and not used anywhere in the code are most likely an accident due to incomplete refactoring. Such imports can lead to confusion by readers.

For example, here are some instances:

File: X2Y2Adapter.sol (Line 6, Line 7, Line 8, Line 10, Line 14, Line 16

6: import {OrderTypes} from "../../dependencies/looksrare/contracts/libraries/OrderTypes.sol";

7: import {SeaportInterface} from "../../dependencies/seaport/contracts/interfaces/SeaportInterface.sol";

8: import {ILooksRareExchange} from "../../dependencies/looksrare/contracts/interfaces/ILooksRareExchange.sol";

10: import {SignatureChecker} from "../../dependencies/looksrare/contracts/libraries/SignatureChecker.sol";

14: import {IERC1271} from "../../dependencies/openzeppelin/contracts/IERC1271.sol";

16: import {PoolStorage} from "../../protocol/pool/PoolStorage.sol";

File: LooksRareAdapter.sol (Line 7, Line 9, Line 13, Line 15)

7: import {SeaportInterface} from "../../dependencies/seaport/contracts/interfaces/SeaportInterface.sol";

9: import {SignatureChecker} from "../../dependencies/looksrare/contracts/libraries/SignatureChecker.sol";

13: import {IERC1271} from "../../dependencies/openzeppelin/contracts/IERC1271.sol";

15: import {PoolStorage} from "../../protocol/pool/PoolStorage.sol";

File: SeaportAdapter.sol (Line 6, Line 8, Line 9, Line 10, Line 13, Line 15)

6: import {OrderTypes} from "../../dependencies/looksrare/contracts/libraries/OrderTypes.sol";

8: import {ILooksRareExchange} from "../../dependencies/looksrare/contracts/interfaces/ILooksRareExchange.sol";

9: import {SignatureChecker} from "../../dependencies/looksrare/contracts/libraries/SignatureChecker.sol";

10: import {ConsiderationItem} from "../../dependencies/seaport/contracts/lib/ConsiderationStructs.sol";

13: import {IERC1271} from "../../dependencies/openzeppelin/contracts/IERC1271.sol";

15: import {PoolStorage} from "../../protocol/pool/PoolStorage.sol";

#0 - c4-judge

2023-01-25T15:49:51Z

dmvt marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter