Canto Identity Subprotocols contest


d3e4	1/98	$9,809.85	3	0	3	3	0	0
adriro	2/98	$4,472.49	6	1	4	1	Grade B	0
cccz	3/98	$3,269.95	1	0	1	1	0	0
volodya	4/98	$1,992.82	2	1	1	0	0	0
Haipls	5/98	$1,151.77	2	0	2	0	0	0
glcanvas	6/98	$882.89	1	0	1	0	0	0
igingu	7/98	$695.73	4	1	1	0	Grade A	Grade A
descharre	8/98	$435.83	3	1	0	0	Grade B	Grade B
IgorZuk	9/98	$423.80	2	1	0	0	-	0
m9800	10/98	$401.03	1	1	0	0	0	0


d3e4	1/98	$9,809.85	3	0	3	3	0	0
adriro	2/98	$4,472.49	6	1	4	1	Grade B	0
cccz	3/98	$3,269.95	1	0	1	1	0	0
volodya	4/98	$1,992.82	2	1	1	0	0	0
Haipls	5/98	$1,151.77	2	0	2	0	0	0
glcanvas	6/98	$882.89	1	0	1	0	0	0
igingu	7/98	$695.73	4	1	1	0	Grade A	Grade A
descharre	8/98	$435.83	3	1	0	0	Grade B	Grade B
IgorZuk	9/98	$423.80	2	1	0	0	-	0
m9800	10/98	$401.03	1	1	0	0	0	0

Canto Identity Subprotocols contest details

Total Prize Pool: $36,500
- HM awards: $25,500
- QA report awards: $3,000
- Gas report awards: $1,500
- Judge + presort awards: 6,000
- Scout awards: $500 USDC
Join C4 Discord to register
Submit findings using the C4 form
Read our guidelines for more details
Starts March 17, 2023 20:00 UTC
Ends March 20, 2023 20:00 UTC

Automated Findings / Publicly Known Issues

Automated findings output for the contest can be found here within an hour of contest opening.

Note for C4 wardens: Anything included in the automated findings output is considered a publicly known issue and is ineligible for awards.

Overview

The audit covers three subprotocols for the Canto Identity Protocol:

Canto Bio Protocol: Allows the association of a biography to an identity
Canto Profile Picture Protocol: Allows the association of a profile picture (arbitrary NFT) to an identity
Canto Namespace Protocol: A subprotocol for minting names from tiles (characters in a specific font).

Each subprotocol is contained in a folder (canto-bio-protocol, canto-namespace-protocol, canto-pfp-protocol) and there is a README in every folder that describes the protocol in more detail.

Scope

Files in scope

File	SLOC	Description and Coverage	Libraries
Contracts (4)
canto-pfp-protocol/src/ProfilePicture.sol	58	Profile Picture subprotocol NFT: Allows to reference an NFT that is owned by the user (the holder of the canto identity NFT that is associated with this PFP NFT). 100.00%	`solmate/*`
canto-bio-protocol/src/Bio.sol 🖥	94	Biography subprotocol NFT: Allows to mint an NFT with an arbitrary biography. 100.00%	`solmate/` `solady/`
canto-namespace-protocol/src/Namespace.sol 🖥	141	Namespace subprotocol NFT: Represents a name with characters in different fonts. -	`solmate/` `solady/`
canto-namespace-protocol/src/Tray.sol 🧮	180	Namespace NFTs are fused with trays that are bought (or traded on the secondary market). -	`erc721a/` `solmate/` `solady/*`
Libraries (1)
canto-namespace-protocol/src/Utils.sol Σ	214	Utilities for string/SVG manipulations that are used by the Namespace and Tray contract. -	`solmate/*`
Total (over 5 files):	687	100.00%

All other source contracts (not in scope)

File	SLOC	Description and Coverage	Libraries
Contracts (3)
canto-identity-protocol/src/AddressRegistry.sol	47	-	`solmate/*`
canto-identity-protocol/src/SubprotocolRegistry.sol	64	-	`solmate/*`
canto-identity-protocol/src/CidNFT.sol	300	-	`solmate/*`
Total (over 3 files):	411	-

External imports

erc721a/ERC721A.sol
- canto-namespace-protocol/src/Tray.sol
solady/utils/Base64.sol
solmate/auth/Owned.sol
solmate/tokens/ERC20.sol
solmate/tokens/ERC721.sol
solmate/utils/LibString.sol
solmate/utils/SafeTransferLib.sol

Additional Context

All three subprotocols are Canto Identity Protocol subprotocols, so it might be helpful to look at this codebase to understand the subprotocols better. The code (folder canto-identity-protocol) was already audited in a previous audit and is out of scope for this audit. It is only included as additional context.

Scoping Details

- If you have a public code repo, please share it here:  
- How many contracts are in scope?:   5
- Total SLoC for these contracts?:  687
- How many external imports are there?: 14  
- How many separate interfaces and struct definitions are there for the contracts within scope?:  1
- Does most of your code generally use composition or inheritance?:   Inheritance
- How many external calls?:   5
- What is the overall line coverage percentage provided by your tests?:  100
- Is there a need to understand a separate part of the codebase / get context in order to audit this part of the protocol?: true  
- Please describe required context:   Understanding Canto Identity Protocol (which was previously audited) is helpful, as these are subprotocols for it. But it is not strictly required
- Does it use an oracle?:  No
- Does the token conform to the ERC20 standard?:  
- Are there any novel or unique curve logic or mathematical models?: No
- Does it use a timelock function?: No 
- Is it an NFT?: Yes
- Does it have an AMM?:   No
- Is it a fork of a popular project?:  false 
- Does it use rollups?:   false
- Is it multi-chain?:  false
- Does it use a side-chain?: false

Tests

To run the tests including a gas report, run the following command in every folder (canto-bio-protocol, canto-namespace-protocol, canto-pfp-protocol):

npm install && forge test --gas-report

slither works without problems in canto-bio-protocol and canto-pfp-protocol, but cannot analyze the code in canto-namespace-protocol because of the following error:

unresolved reference to identifier _BITMASK_ADDRESS

Quickstart command

rm -Rf 2023-03-canto-identity || true && git clone https://github.com/code-423n4/2023-03-canto-identity.git -j8 --recurse-submodules && cd 2023-03-canto-identity && foundryup && cd canto-bio-protocol && npm install && forge test --gas-report && cd .. && cd canto-namespace-protocol && npm install && forge test --gas-report && cd .. && cd canto-pfp-protocol && npm install && forge test --gas-report && cd ..

Canto Identity Subprotocols contest

General Information

Findings Distribution

External Links

Leaderboard