Platform: Code4rena
Start Date: 03/05/2022
End Date: 07/05/2022
Period: 5 days
Status: Completed
Pot Size: $50,000 USDC
Participants: 46
Reporter: liveactionllama
Judge: gzeon
Id: 117
League: ETH
leastwood | 1/46 | $17,568.24 | 3 | 0 | 0 | 2 | 1 | - | 0 | 0 |
hubble | 2/46 | $13,743.24 | 1 | 0 | 0 | 1 | 1 | 0 | 0 | 0 |
BowTiedWardens | 3/46 | $5,076.80 | 3 | 0 | 0 | 1 | 0 | - | - | 0 |
sorrynotsorry | 4/46 | $4,378.51 | 3 | 0 | 0 | 2 | 0 | - | 0 | 0 |
IllIllI | 5/46 | $1,029.73 | 3 | 0 | 0 | 1 | 0 | - | - | 0 |
0xDjango | 6/46 | $507.30 | 3 | 0 | 0 | 1 | 0 | - | - | 0 |
GimelSec | 7/46 | $507.30 | 3 | 0 | 0 | 1 | 0 | - | - | 0 |
oyc_109 | 8/46 | $444.64 | 3 | 0 | 0 | 1 | 0 | - | - | 0 |
0x1f8b | 9/46 | $439.72 | 3 | 0 | 0 | 1 | 0 | - | - | 0 |
throttle | 10/46 | $439.72 | 3 | 0 | 0 | 1 | 0 | - | - | 0 |
Auditor per page
We do not plan to add any ERC777-backed cTokens to Bunker, so any vulnerabilities (e.g. any known vulnerabilities in Compound) that require the underlying to be an ERC777 (or similar) are not in the scope of this contest.
This protocol is a fork of Compound 2.9 that allows users to collateralize ERC721s, ERC1155s, and CryptoPunks.
To learn more about Compound, you can read the documentation here:
The following contracts/functions are part of the audit scope:
This contract implements an ennumerable version of ERC1155 token standard. It can wrap an ERC721, ERC1155, or CryptoPunk. cNFT represents a collateralized NFT, similar to how cTokens represent collateralized Ether or ERC20s.
This contract uses the following external libraries:
@openzeppelin/contracts/token/ERC721/IERC721Receiver.sol@openzeppelin/contracts/token/ERC1155/IERC1155Receiver.sol@openzeppelin/contracts/interfaces/IERC1155.sol@openzeppelin/contracts/interfaces/IERC721.sol@openzeppelin/contracts/utils/introspection/ERC165.sol@openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol@openzeppelin/contracts-upgradeable/security/ReentrancyGuardUpgradeable.solThis contract also uses the ERC1155Enumerable.sol, which is also in scope for this contest. Details in the next section.
This contract implements an enumerable version of ERC1155 that allows for enumerating the NFTs an address owns.
This contract uses the following libraries:
@openzeppelin/contracts/interfaces/IERC1155.sol@openzeppelin/contracts-upgradeable/token/ERC1155/ERC1155Upgradeable.sol./EnumerableUintSet.sol (a subset of OpenZeppelin's EnumerableSet.sol)This contract is Bunker's implementation of Compound's PriceOracle interface. It makes an external call to the USDC/ETH Chainlink feed.
The liquidateBorrowNft function in CErc20.sol/CEther.sol and liquidateBorrowNftInternal/liquidateBorrowNftFresh functions in CToken.sol are in scope for this contest. They are the code paths used for liquidating cNFTs. No additional libraries are used.
This contract contains logic for accounting of cNFTs and dictating when certain actions (e.g. supplying/borrowing/liquidating) are allowed. No additional libraries are used.
This contract implements a 30 minute UniswapV2 TWAP oracle. It makes three external calls to a UniswapV2Pair contract (price0CumulativeLast/price1CumulativeLast/getReserves), one external call to UniswapV2Factory (getPair) and one external call to an ERC20 contract (decimals).
One library is used (Oracles/libraries/FullMath.sol) which is a copy of Uniswap's mulDiv function in the FullMath library, but with very small modifications to make it compatible with Solidity 0.8.
This contract implements a price oracle for cNFT. It prices the cNFT at the price of the underlying's NFTX token (computed by UniswapV2PriceOracle), minus the mint fee. It makes one external call to a NFTXVault contract, mintFee.
Like in UniswapV2PriceOracle, the FullMath library is used.