Launchpad for collaborative web3 media projects with blueprints, building blocks, and community support.
Platform: Code4rena
Start Date: 30/03/2022
End Date: 01/04/2022
Period: 3 days
Status: Completed
Pot Size: $30,000 USDC
Participants: 38
Reporter: itsmetechjay
Judge: Michael De Luca
Id: 104
League: ETH
leastwood | 1/38 | $4,160.27 | 8 | 5 | 1 | 2 | 1 | - | 0 | 0 |
kirk-baird | 2/38 | $3,228.28 | 10 | 5 | 0 | 4 | 2 | - | 0 | 0 |
peritoflores | 3/38 | $2,683.35 | 1 | 1 | 1 | 0 | 0 | 0 | 0 | 0 |
hickuphh3 | 4/38 | $2,346.14 | 6 | 3 | 0 | 3 | 1 | 0 | 0 | 0 |
ych18 | 5/38 | $2,029.35 | 4 | 2 | 0 | 0 | 0 | - | - | 0 |
wuwe1 | 6/38 | $1,593.53 | 4 | 2 | 0 | 1 | 0 | - | 0 | 0 |
hyh | 7/38 | $1,386.49 | 5 | 3 | 0 | 1 | 0 | - | 0 | 0 |
rayn | 8/38 | $1,257.94 | 5 | 2 | 0 | 1 | 1 | - | - | 0 |
WatchPug | 9/38 | $1,096.81 | 6 | 4 | 0 | 0 | 0 | - | - | 0 |
Dravee | 10/38 | $1,065.12 | 4 | 1 | 0 | 1 | 1 | - | - | 0 |
Auditor per page
This contest is open for three days. Representatives from Joyn will be available in the Code Arena Discord to answer any questions during the contest period. The focus for the contest is to try and find any logic errors or ways to drain fungible or non-fungible assets from the protocol in a way that is advantageous for an attacker at the expense of users with funds in the protocol.
Joyn is an ecosystem of talent, knowledge and resources for emerging creators to co-create, promote and launch NFT projects. We provide project blueprints (project page, milestones, prompts), web3 building blocks (NFT membership passes, royalty splits, airdrops, output collections), and community resources (network of co-creators and support programs)
Our mission is to make the process of creative collaboration accessible to as many as possible, and to empower every creator regardless of their number of followers, knowledge, or access to resources.
Looking into the future we want to become a go-to platform for metaverse content creation, and to see a lot of cross-pollination and remixing among the projects built with Joyn.
We fully embrace modularity and interoperability with our architecture. We have modules that extend the ERC721 standards, which provide functionalities beyond minting and transferring token instances.
Eg. NFT collections launched through Joyn out of the box allow project creators to split royalties among an arbitrary number of recipients, which means we could achieve shared royalties between everyone involved in the project.
This paves the way for open co-creation of web3 content, where all contributors may share ownership and royalties, and benefit directly from the project’s success.
With that as a foundation, this will also unlock content attribution / remixing as a new class of use case based on inter-referencing projects.
All the contracts in this section are to be reviewed. Any contracts not in this list are to be ignored for this contest. A further breakdown of contracts and their dependencies can be found here
Here is high level System Diagram
ERC721 contract responsible for:
Libraries used:
Contract responsible for:
Contract used for deploying instances of CoreCollection. We use the proxies for gas optimization and will allow us to upgrade our users contracts in the future.
Libraries used:
An abstract contract that extends the functionality of ERC721. This contract makes the CoreCollection contract claimable. The collection owner is able to airdrop tokens from its collection to a big amount of users. Addresses receiving the airdrop are then able to claim tokens for free by calling the mintToken function.
This contract uses Merkle tree to verify if an address is elligible for a claim.
This contract is responsible for:
Libraries used:
An abstract contract that extends the functionality of ERC721. This contract makes the CoreCollection contract payable. Once a token get minted, this contract is responsible for handling the payment made. The payment will either be sent to the royalty vault or be kept within the collection contract.
This contract is responsible for:
Libraries used:
Contract used for deploying instances of RoyaltyVault. We use the proxies for gas optimization and will allow us to upgrade our users contracts in the future.
Libraries used:
ERC721 contract responsible for:
Libraries used:
ERC721 contract responsible for:
Libraries used:
Contract used for deploying instances of Splitter. We use the proxies for gas optimization and will allow us to upgrade our users contracts in the future.
A contract that allows co-creators to share revenue generated by a project. This contract uses Merkle tree to verify if a user can claim a share of the revenue.
This contract is responsible for:
Every time a token is transferred, a collection will attempt to push funds from the royalty vault to the split contract via a hook called _beforeTransfer.
Royalties will be sent to the vault from marketplaces like Opensea. We currently haven't implemented an royalty on-chain mechanism like ERC2981 yet but it will be implemented in the future.
The splits repository has been forked from this mirror-xyz/splits Github repository.
More information about how the split mechanism works can be found here
We would like wardens to focus on any core functional logic, boundary case errors or similar issues which could be utilized by an attacker to take fungible or non-fungible assets away from clients who have funds deposited in the protocol, whether it is in royalty vaults, split or collection contracts. That said any errors may be submitted by wardens for review and potential reward as per the normal issue impact prioritization. Gas optimizations are welcome but not the main focus of this contest and thus at most 5% of the contest reward will be allocated to gas optimizations. For gas optimizations the most important flows are client collection, split and royalty vault contract deployments.
If wardens are unclear on which areas to look at or which areas are important please feel free to ask in the contest Discord channel.
A full set of unit tests are provided in the repo. To run these do the following:
nodejs, refer to nodejsIn each folder (core-contracts, royalty-vault, splits):
npm installnpm run test command in terminalFor the splits folder, you will need to:
cp .env.example .envALCHEMY_API_KEY={your key} & DEPLOYER_PRIVATE_KEY={your private key}