Skip to content

Latest commit

 

History

History
30 lines (28 loc) · 1.6 KB

Rickard-Q.md

File metadata and controls

30 lines (28 loc) · 1.6 KB
Raw

[L-01] Use the safe variant and ERC721.mint

Lines of code

https://github.com/code-423n4/2023-05-juicebox/blob/main/juice-buyback/contracts/JBXBuybackDelegate.sol#L205
https://github.com/code-423n4/2023-05-juicebox/blob/main/juice-buyback/contracts/JBXBuybackDelegate.sol#L207

Vulnerability details

Impact

.mint won’t check if the recipient is able to receive the NFT. If an incorrect address is passed, it will result in a silent failure and loss of asset.

OpenZeppelin recommendation is to use the safe variant of _mint.

Tools Used

Manual review

Recommended mitigation steps

Replace _mint() with _safeMint().

[N-01] Use underscores for number literals

Lines of code

https://github.com/code-423n4/2023-05-juicebox/blob/main/juice-buyback/contracts/JBXBuybackDelegate.sol#L68

Vulnerability details

Impact

juice-buyback/contracts/JBXBuybackDelegate.sol

68:   uint256 private constant SLIPPAGE_DENOMINATOR = 10000;

Tools Used

Manual review

Recommended mitigation steps

- 68:   uint256 private constant SLIPPAGE_DENOMINATOR = 10000;
+ 68:   uint256 private constant SLIPPAGE_DENOMINATOR = 10_000;