Open code423n4 opened 2 years ago
Thanks for the feedback!
adminAccountMigration
function completely instead. It's not something we have used in some time.increaseAllowance
.buy
we have opted to allow the highest offer to remain valid. It may not be common, but it's not 100% clear that the offer should have been canceled. e.g. the new owner may accept that offer in order to have a fast exit at a small loss due to buyers remorse.sendValueWithFallbackWithdraw
is when we are sending ETH to an address other than the msg.sender - we want to ensure that a malicious user cannot cause other user's transactions to revert. Here the refund is going to the msg.sender - if they are non-receivable they should be able to retry using the correct value instead. So we are leaving it as-is for now. Unadusted score: 100 (80 + 20 from clean formatting)
Signature Re-Use - Non-Critical (Lack of documentation on desiderability)
Approval Race Condition - Invalid in my opinion, since this has never been exploited and is uneconomical to exploit.
Unclear Function Naming - Non-Critical
Improper BASIS_POINTS
Check in _distributeFunds()
- Non-Critical (Lack of documentation on trade-offs)
Improper State Handling - Non-Critical (Lack of documentation on feature set)
Unhandled marketLockupFor()
Edge Case - Low
No Support For ERC1155
Tokens - Non-Critical (Accepted suggestion)
Malicious Contract Upgrades Will Lock Funds And NFTs - Invalid, this kind of issue belongs in a governance audit.
Unclear _recipients
Array Restriction - Non-Critical (Lack of documentation on trade-offs)
Inconsistent Use of sendValue()
- Non-Critical (Lack of documentation on flow and trade-offs)
Just a note that C4 is excluding the invalid entries from the official report.
Signature Re-Use
The
adminAccountMigration()
function intends to allow a seller to updateauction.seller
in the event their account is compromised. However, the signature inrequireAuthorizedAccountMigration()
can be re-used because there is no use of a nonce to prevent this.Consider adding a nonce to account for this behaviour.
Approval Race Condition
There is no use of the
increaseAllowance()
anddecreaseAllowance()
functions. As a result, users could frontrun calls toapprove()
by using the allocated amount before the new amount is set. Consequently, it might be possible for the approved spender to spend more tokens then they were allocated.Ensure this is understand and consider adding the aforementioned functions.
Unclear Function Naming
The
_cancelBuyersOffer()
function isn't exactly clear as it will only cancel the offer if the buyer ismsg.sender
. Therefore, it would be more clear to rename this to_cancelSellersOffer()
or similar to avoid confusion.Improper
BASIS_POINTS
Check in_distributeFunds()
The
_distributeFunds()
function checks ifcreatorShares[i] > BASIS_POINTS
when it should actually be checking iftotalShares > BASIS_POINTS
. This ensures that the sum of creator shares do not exceed an expected amount.Improper State Handling
If
_autoAcceptBuyPrice()
is executed by a new buyer that is notoffer.buyer
, then there will be an excess ofETH
. The originaloffer.buyer
will then have to wait until the offer expires as it isn't invalidated.Ensure this is understood.
Unhandled
marketLockupFor()
Edge CasemarketLockupFor()
will revert if too muchETH
is provided. This can be modified to refund any surplusETH
to the user'sFETH
balance.No Support For
ERC1155
TokensMany new NFT contracts adhere to the
ERC1155
standard. Currently, it is not possible to trade these tokens on the Foundation marketplace.Consider making the necessary integrations.
Malicious Contract Upgrades Will Lock Funds And NFTs
If the protocol owner becomes malicious or their account is compromised for whatever reason, they can lock users' funds by upgrading the relevant contracts to an malicious contract which always reverts. As a result, NFTs and
ETH
will be forever locked by the protocol.Unclear
_recipients
Array RestrictionThe
_recipients
array is restricted to just 5 receivers. Ensure this is understand by NFT creators as they may intend to use additional receivers but these receivers may be disproportionally rewarded if the majority of creator shares are not included.Inconsistent Use of
sendValue()
_buy()
should make use of_sendValueWithFallbackWithdraw()
instead ofsendValue()
. This will ensure invalid transfers are correctly handled.