search

code-423n4 / 2022-06-nibbl-findings

1 stars 0 forks source link

QA Report #287

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

LOW

Missing address(0) check when setting new curator

This could lead to funds being locked in contract forever.

1. File: NibblVault.sol#L183


    function updateCurator(address _newCurator) external override {
        require(msg.sender == curator,"NibblVault: Only Curator");
        curator = _newCurator;
    }

Upgradeable contract is missing a __gap[50] storage variable to allow for new storage variables in later versions

Refrenced here

1. File: NibblVault.sol#20

contract NibblVault is INibblVault, BancorFormula, ERC20Upgradeable, Twav, EIP712Base {

QA

Magic numbers should be declarded as contstants.

1. File: NibblVault.sol#L183


    uint _primaryReserveBalance = (primaryReserveRatio * _initialTokenSupply * _initialTokenPrice) / (SCALE * 1e18);

2. File: NibblVault.sol#L195


    uint _primaryReserveBalance = (primaryReserveRatio * _initialTokenSupply * _initialTokenPrice) / (SCALE * 1e18);

3. File: NibblVault.sol#L303

    uint32 _blockTimestamp = uint32(block.timestamp % 2**32);

4. File: NibblVault.sol#L303

    uint32 _blockTimestamp = uint32(block.timestamp % 2**32);

primaryReserveRatio should be written in all capitals

This varable does not conform with the other constants and should be written as PRIMARY_RESERVE_RATIO

1. File: NibblVault.sol#L195

    uint32 private constant primaryReserveRatio = 200_000; //20%

Comment seems to contradict actual code

This could just be my lack of understanding, but this comment appears to be wrong or at least not properly explained.

1. File: NibblVault.sol#L405-406

    // buyoutValuationDeposit = _currentValuation - ((primaryReserveBalance - fictitiousPrimaryReserveBalance) + secondaryReserveBalance); 
    buyoutValuationDeposit = msg.value - (_buyoutBid - _currentValuation);
HardlyDifficult commented 2 years ago

Good feedback, concise report