Platform: Code4rena
Start Date: 11/08/2022
End Date: 15/08/2022
Period: 4 days
Status: Completed
Pot Size: $40,000 USDC
Participants: 108
Reporter: itsmetechjay
Judge: hickuphh3
Id: 152
League: ETH
Lambda | 1/108 | $9,387.62 | 5 | 0 | 0 | 4 | 1 | - | 0 | 0 |
joestakey | 2/108 | $9,277.77 | 5 | 0 | 0 | 3 | 1 | - | - | 0 |
KIntern_NA | 3/108 | $2,924.09 | 4 | 0 | 0 | 4 | 0 | 0 | 0 | 0 |
byndooa | 4/108 | $2,896.65 | 2 | 0 | 0 | 2 | 0 | 0 | 0 | 0 |
shenwilly | 5/108 | $2,398.02 | 4 | 0 | 0 | 3 | 0 | - | 0 | 0 |
bin2chen | 6/108 | $1,757.37 | 2 | 0 | 0 | 1 | 0 | - | 0 | 0 |
berndartmueller | 7/108 | $1,240.78 | 3 | 0 | 0 | 2 | 0 | - | 0 | 0 |
0x52 | 8/108 | $1,239.89 | 3 | 0 | 0 | 2 | 0 | - | 0 | 0 |
0xHarry | 9/108 | $1,176.40 | 2 | 0 | 0 | 1 | 0 | 0 | - | 0 |
peritoflores | 10/108 | $1,155.80 | 1 | 0 | 0 | 1 | 0 | 0 | 0 | 0 |
Auditor per page
We're releasing four new contracts that are in scope for the audit:
NFT Drop Collections, does not support any other mechanic or collection type.For more detailed docs on drops please navigate to FoundationOS.
& all their inherited / library contracts.
We would like to call out extra attention to NFTDropMarketFixedPriceSale and MarketFees mixins as both of them are highly critical paths that perform accounting, fund distribution and transfers.
This is the complete list of what's in scope for this contest:
| Contract Name | SLOC | Purpose |
|---|---|---|
| NFTDropMarket | 61 | The main / top-level contract for all drop market tools on Foundation. |
| Constants | 10 | Shared constant values used by various mixins. |
| FETHNode | 36 | A wrapper for communicating with the FETH contract. |
| FoundationTreasuryNode | 34 | A wrapper for communicating with the treasury contract which collects Foundation fees and defines the admin & operator roles. |
| Gap10000 | 4 | A placeholder contract leaving room for new mixins to be added to the future. |
| MarketFees | 285 | Distributes revenue from sales. |
| BytesLibrary | 30 | A library for manipulation of byte arrays. |
| ArrayLibrary | 17 | Helper functions for arrays. |
| MarketSharedCore | 8 | A base class for Foundation market contracts to define functions that other market contract may implement or extend. |
| NFTDropMarketCore | 5 | A base class for the drop specific market contract to define functions that other mixins may implement or extend. |
| NFTDropMarketFixedPriceSale | 137 | Allows creators to list a drop collection for sale at a fixed price point. |
| NFTCollectionFactory | 169 | A factory to create NFT collections. |
| AddressLibrary | 12 | A library for address helpers not already covered by the OZ library library. |
| NFTDropCollection | 129 | A contract to batch mint and reveal a collection of NFTs. |
| ContractFactory | 15 | Stores a reference to the factory which is used to create contract proxies. (shared across all collection types) |
| AdminRole | 22 | Defines a role for admin accounts. |
| MinterRole | 23 | Defines a role for minter accounts. |
| CollectionRoyalties | 41 | Defines various royalty APIs for broad marketplace support. (shared across all collection types) |
| SequentialMintCollection | 47 | Extends the OZ ERC721 implementation for collections which mint sequential token IDs. (shared across all collection types) |
| NFTCollection | 133 | A collection of NFTs by a single creator. |
| Total | 1228 |
Any issues or improvements on how we integrate with the contracts above is in scope.
In order to maintain readability as our contracts grow in complexity, we separate responsibilities into different abstract contracts which we call 'mixins'. We try not to create too many interdependencies between mixins, shared logic may be defined in NFTDropMarketCore so mixins do not need to call each other directly.
Our new factory and NFT drop market contracts will be upgradeable proxies allowing us to add more features overtime. For an overview of the upgrade pattern, refer to the OpenZeppelin documentation.
This contract is not in scope for this contest.
FETH is an ERC-20 token modeled after WETH9. It has the ability to lockup tokens for 24-25 hours - during this time they may not be transferred or withdrawn, except by our market contract which requested the lockup in the first place.
Since after lockups expire, FETH is just another wrapped ETH token contract - we allow using your available FETH balance to mint from a NFT drop collection.
Note that both FETH have been audited in a previous C4 contest and have been live on mainnet for ~4 months.
Setup:
yarn yarn build
Test:
yarn test
(run yarn build again if ABIs have changed)
The tests in this repo are not our full test suite. We have simplified what was included here to clearly demonstrate core features and interactions; however, they still do a good job in covering most cases.
Troubleshooting:
Error: Lock file is already being held you can try again, deleting ./cache sometimes helps as well. Finding a fix for this common occurrence would be a high value QA issue :)yarn test --logs (or --trace, --fulltrace).yarn test path/to/test.ts e.g. yarn test test/NFTDropMarket/fixedPrice/drop.ts --logs. And/or update an it test to it.only(....The Hardhat gas reporter will print gas usage when running tests. We also have included a custom report we use to measure gas costs for the core scenarios we are interested in. When submitting optimizations, it would be most helpful to us if you communicate the impact in terms of the diff to the gas-stories.txt file your recommendation would create.
yarn test-gas-stories
This writes changes to
./gas-stories.txtlocally.
Most, but not all, of our tests have been added to this repo. If you run the coverage report you'll see pretty good coverage. Note that our private repo has 100% coverage, what's included here has been simplified a bit to remove some out of scope contracts and as a result coverage is not perfect here.
yarn coverage
After running this command, you'll need to re-run yarn build.
To view the report, open coverage/index.html in your browser.
See test/foundry/FixedPriceDrop.sol for an example you can build on to probe for issues.
Setup:
git submodule update --init --recursive --remote yarn curl -L https://foundry.paradigm.xyz | bash foundryup
Test:
forge test
If forge fails to run, please confirm you are running the latest version. This was tested with forge
0.2.0.
Note: After running forge you need to run yarn build again for the Hardhat tests to work.
We have run the default detectors with Slither, posted the output along with our responses to each. Please do not submit these findings unless you have reason to believe our responses here are not valid.
Responses use quote replies like this.
Note: Slither currently crashes on the try/catch blocks in our code. In order to generate these results, we temporarily removed the try/catch blocks.
You can use the slither branch in this repo to run Slither locally. This code has been modified to allow Slither to run locally with minimal changes, but the changes are not part of this contest and we removed mocks so tests will not run on that branch -- please validate your findings against the main branch before submitting!
You may need to upgrade Slither, these results were run with
0.8.3.