Open code423n4 opened 1 year ago
R
R
NC
L
R
Valid R
Because the event fires, NC
L
Invalid
NC
Pretty good!
2L 4R 2NC
The ArtGobblers contract is not an ERC721Receiver. It won't support gobbling of NFTs that their transferFrom function does the onERC721Received callback.
I think this is a false positive? ERC721 transferFrom
doesnt invoke the callback, only safetransfer, which we explicitly dont use
The ArtGobblers contract is not an ERC721Receiver. It won't support gobbling of NFTs that their transferFrom function does the onERC721Received callback.
I think this is a false positive? ERC721
transferFrom
doesnt invoke the callback, only safetransfer, which we explicitly dont use
Agree that this is a false positive and believe I've closed the ones suggesting to add it, will double check
QA Report
ArtGobblers.claimGobbler()
function allows each user to claim at most 1 gobbler. It will be better to extend this functionality to allow users to claim an amount of gobblers that will be specified in the merkle tree.The
mintFromGoo
in both of theArtGobblers
and thePages
contracts allows the users to pay goo from his virtual balance or from his actual goo balance. This functionality can be improved by allowing a user to use both if this balances - this will save the users from first adding goo to their virtual balance and then using it, or withdrawing goo from their virtual balance and then using their non virtual balance. This will of course relates to the case where the user doesn't have enough balance to pay in both his virtual and non-virtual balances.legendaryGobblerPrice
will return a value and won't revert even after all the legendary gobblers will be minted. This can confuse innocent users into thinking another legendary gobbler will be minted/is open for auction. This will happen in 2 unwanted cases - when all the legendary gobblers will be sold, and the value ofnumMintedFromGoo
will be either 6391 or 6392. 6392 is the maximum number of gobblers that can be sold (i.e.MAX_MINTABLE
), and when thenumMintedFromGoo
value will be one of the two I mentioned before, thelegendaryGobblerPrice
function will return unwanted values.acceptRandomSeed
function to verify that the contract is actually waiting for a seed. If somehow the chainlink oracle will call the function multiple times, this can be harmful to the contract.gobble
function doesn't allow an operator to feed the gobbler with an NFT. The current implementation reverts ifowner != msg.sender
, but it shouldn't revert if themsg.sender
is an allowed operator, i.e.isApprovedForAll[owner][msg.sender] == true
.updateUserGooBalance
is an internal function but it doesn't have an underscore in the beginning of its name.getCopiesOfArtGobbledByGobbler
mapping becomes irrelevant. Consider saving the data differently to allow moving it to the legendary gobbler when it is burned.numGobblersEach
argument to theArtGobblers.mintReservedGobblers()
function. This can also happen by providingnumPages = 0
to thePages.mintCommunityPages()
functionArtGobblers
contract is not an ERC721Receiver. It won't support gobbling of NFTs that their transferFrom function does theonERC721Received
callback.