search

code-423n4 / 2022-06-nibbl-findings

1 stars 0 forks source link

QA Report #286

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

1. NibblVault sell is missing reentrancy protection

Impact

Function NibbleVault.sell is missing lock modifier that protects against reentrancy attacks.

Proof of Concept

NibblVault.sol:

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

It is recommended to add lock modifier to sell function.

2. Confusing intialize vs initialise

Risk

Low

Impact

Protocol uses proxy pattern for vaults and baskets which requires properly initializing the contracts. The issue is that contract NibblVault implements function initialize and contract Basket.sol implements initialise. Using different naming convention for critical functionality such as initialization makes it prone to errors and leads to vulnerabilities.

Since openzeppelin goes with initializer modifier we recommend using initialize for Basket.sol.

Proof of Concept

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

It is recommend to change function Basket.initialise to Basket.initialize.

3. NibblVault incorrect check

Risk

Low

Impact

Contract NibblVault charges admin fee in _chargeFee and _chargeFeeSecondaryCurve:

        if(_adminFeeAmt > 0) {
            safeTransferETH(_factory, _feeAdmin); //Transfers admin fee to the factory contract
        }

The check is invalid since there might be edge case (when amount is very small) that _adminFeeAmt is positive and _feeAdmin is equal to 0. ETH should be sent when _feeAdmin is positive.

Proof of Concept

NibblVault.sol:

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

It is recommended to change the check to:

        if(_feeAdmin > 0) {
            safeTransferETH(_factory, _feeAdmin); //Transfers admin fee to the factory contract
        }

or even better after gas optimization to:

        if(_feeAdmin != 0) {
            safeTransferETH(_factory, _feeAdmin); //Transfers admin fee to the factory contract
        }

4. Missing zero address checks

Risk

Low

Impact

Multiple contracts do not check for zero addresses which might lead to loss of funds, failed transactions and can break the protocol functionality.

Proof of Concept

NibblVaultFactory.sol:

NibblVault.sol:

Basket.sol:

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

It is recommended to add zero address checks for listed parameters.

5. Missing events

Risk

Low

Impact

Multiple contracts are not implementing events for critical functions. Lack of events makes it difficult for off-chain applications to monitor the protocol.

Proof of Concept

NibblVaultFactory.sol:

NibblVault.sol:

Twav.sol:

AccessControlMechanism.sol:

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

It is recommended to add missing events to listed functions.

6. Critical address change

Risk

Low

Impact

Changing critical addresses such as ownership should be a two-step process where the first transaction (from the old/current address) registers the new address (i.e. grants ownership) and the second transaction (from the new address) replaces the old address with the new one. This gives an opportunity to recover from incorrect addresses mistakenly used in the first step. If not, contract functionality might become inaccessible.

Proof of Concept

NibblVault.sol:

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

It is recommended to implement two-step process for changing curator address.

7. Missing indexing for events

Risk

Non-Critical

Impact

Events should index addresses which helps off-chain applications in monitoring the protocol.

Proof of Concept

Interfaces/INibblVaultFactory.sol:5:    event Fractionalise(address assetAddress, uint256 assetTokenID, address proxyVault);

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

It is recommended to add indexing to address type parameters.

8. The contracts use unlocked pragma

Risk

Non-Critical

Impact

As different compiler versions have critical behavior specifics if the contract gets accidentally deployed using another compiler version compared to one they tested with, various types of undesired behavior can be introduced.

Proof of Concept

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

Consider locking compiler version, for example pragma solidity 0.8.10.

9. Misleading constant variable name

Risk

Non-Critical

Impact

Contract NibblVault implement constant variable primaryReserveRatio. The variable is constant so it should follow the naming convention for constant variables PRIMARY_RESERVE_RATIO.

Proof of Concept

NibblVault.sol:

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

It is recommended to change name of primaryReserveRatio to PRIMARY_RESERVE_RATIO.

10. Missing/incomplete natspec comments

Risk

Non-Critical

Impact

Contracts are missing natspec comments which makes code more difficult to read and prone to errors.

Proof of Concept

NibblVaultFactory.sol:

NibblVault.sol:

Basket.sol:

Twav.sol:

ProxyVault.sol:

ProxyBasket.sol:

AccessControlMechanism.sol:

EIP721Base.sol:

Tools Used

Manual Review / VSCode

Recommended Mitigation Steps

It is recommended to add missing natspec comments.

HardlyDifficult commented 2 years ago

Merging with https://github.com/code-423n4/2022-06-nibbl-findings/issues/247

HardlyDifficult commented 2 years ago

Merging with https://github.com/code-423n4/2022-06-nibbl-findings/issues/250

HardlyDifficult commented 2 years ago

Great stuff, very clear report