Skip to content
This repository has been archived by the owner on May 5, 2024. It is now read-only.

sherlock-audit/2023-10-looksrare

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
.github/ISSUE_TEMPLATE
.github/ISSUE_TEMPLATE
 
 
.sherlock
.sherlock
 
 
contracts-infiltration
contracts-infiltration
 
 
.gitmodules
.gitmodules
 
 
README.md
README.md
 
 

Repository files navigation

Looks Rare contest details

Q&A

Q: On what chains are the smart contracts going to be deployed?

Mainnet

Q: Which ERC20 tokens do you expect will interact with the smart contracts?

LOOKS LINK indirectly as we need to pay for VRF WETH if ETH transfer fails

Q: Which ERC721 tokens do you expect will interact with the smart contracts?

The contract itself is an ERC-721A collection

Q: Which ERC777 tokens do you expect will interact with the smart contracts?

None

Q: Are there any FEE-ON-TRANSFER tokens interacting with the smart contracts?

None

Q: Are there any REBASING tokens interacting with the smart contracts?

None

Q: Are the admins of the protocols your contracts integrate with (if any) TRUSTED or RESTRICTED?

TRUSTED

Q: Is the admin/owner of the protocol/contracts TRUSTED or RESTRICTED?

TRUSTED

Q: Are there any additional protocol roles? If yes, please explain in detail:

The only role is the owner and it can do 3 things

  1. set/extend mint period
  2. start the game after mint
  3. withdraw funds from the contract if the game is bricked

Q: Is the code/contract expected to comply with any EIPs? Are there specific assumptions around adhering to those EIPs that Watsons should be aware of?

None

Q: Please list any known issues/acceptable risks that should not result in a valid finding.

Accepted Risks

maximumAmountMintedPerAddress can be bypassed. Agents can still be minted by the contract owner even after the mint period ends, as long as it is before the game begins. The maximumAmountMintedPerAddress restriction does not apply to this. Theoretically, the contract owner can wait for 36 hours after the mint period ends, not start the game, and withdraw everything (ETH and LOOKS) from the contract. In the case of extended periods of network congestion or any reason causing the randomness request not to be fulfilled, the contract owner is able to withdraw everything after approximately 36 hours. VRF provided randomness is trusted All active agent NFTs can be transferred at any point of time, so an active agent can be listed for sale on a marketplace and be bought even in the same block if it is in a transaction before the transaction that changes its state from active to another state. _mintERC2309 is called outside of contract creation, so the contract is non-compliant with the ERC721 standard.

Q: Please provide links to previous audits (if any).

None

Q: Are there any off-chain mechanisms or off-chain procedures for the protocol (keeper bots, input validation expectations, etc)?

We have a keeper bot that checks what the current block number is and calls startNewRound if needed

Q: In case of external protocol integrations, are the risks of external contracts pausing or executing an emergency withdrawal acceptable? If not, Watsons will submit issues related to these situations that can harm your protocol's functionality.

Yes they are acceptable

Q: Do you expect to use any of the following tokens with non-standard behaviour with the smart contracts?

No

Q: Add links to relevant protocol resources

N/A

Audit scope

contracts-infiltration @ 90bd6af2da7b3df1c5fac6595128ab62cf989cca

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

4 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages