Skip to content

Instantly share code, notes, and snippets.

@lcanady

lcanady/AuditReport.md

Created August 8, 2023 23:56
Show Gist options
  • Save lcanady/af5e3ccb54486e7f9abc7abca9416c75 to your computer and use it in GitHub Desktop.
Save lcanady/af5e3ccb54486e7f9abc7abca9416c75 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
AuditReport.md

Nakamigos Contract Analysis

The Nakamigos contract seems to be an Ethereum-based NFT minting and management system. It has a stepped Dutch auction mechanism, an allowlist claim mechanism based on an EOS snapshot, and other functionalities.

1. State Variables

uint256 public constant MAX_SUPPLY = 20000;
uint256 public constant MAX_TOKENS_PER_PURCHASE = 10;

string public provenance;
string private _baseURIextended;

address public snapshotContract;
address payable public immutable shareholderAddress;
address private constant _DELEGATION_REGISTRY = 0x00000000000076A84feF008CDAbe6409d2FE638B;

These variables define key parameters:

  • MAX_SUPPLY: The total supply of tokens that can be minted.
  • MAX_TOKENS_PER_PURCHASE: Maximum tokens a user can purchase in a single transaction.
  • provenance: Presumably a hash or record indicating the origin and authenticity of the NFTs.
  • _baseURIextended: The base URI for NFT metadata.
  • snapshotContract: Address of the contract that holds the EOS snapshot data.
  • shareholderAddress: Address that will receive any withdrawn funds.
  • _DELEGATION_REGISTRY: A constant address likely pointing to a registry managing delegations.

2. Custom Error Handling

error NoContractMinting();
error NotDelegatedOnContract();
error RefundFailed();
error SnapshotContractNotSet();

These custom errors provide more descriptive failure reasons for specific actions.

3. Events

event DutchAuctionMint(address indexed userAddress, uint256 numberOfTokens);
event AllowListClaimMint(address indexed userAddress, address indexed vault, uint256 numberOfTokens);
  • DutchAuctionMint: Emitted when a user mints tokens via the Dutch auction.
  • AllowListClaimMint: Emitted when a user claims tokens from the EOS snapshot allowlist.

4. Modifiers

modifier supplyAvailable(uint256 numberOfTokens) {
    if (_totalMinted() + numberOfTokens > MAX_SUPPLY) {
        revert ExceedsMaximumSupply();
    }
    _;
}

This modifier ensures that the number of tokens minted doesn't exceed the MAX_SUPPLY.

5. Allowlist Token Claims

Users can claim tokens against their EOS token holdings. If the EOS holdings were in a different address, they can delegate another address for the claim. This functionality is implemented in:

function mintAllowList(address vault, uint256 numberOfTokens, uint256 tokenQuota, bytes32[] calldata proof) external {...}

6. Dutch Auction Mechanism

The Dutch auction mechanism is a system where the price of the item starts high and is reduced until it finds a buyer.

function mintDutch(uint256 numberOfTokens) external payable {...}

Users can call this function to mint tokens at the current price of the auction.

7. Admin & Developer Utilities

Admins have special privileges including minting reserved tokens, setting the metadata URI, updating the provenance hash, and withdrawing funds.

function devMint(address to, uint256 numberOfTokens) external {...}
function setBaseURI(string calldata baseURI_) external {...}
function setProvenance(string calldata provenance_) external {...}
function withdraw() external onlyOwner {...}

8. Interface Overrides

The contract overrides some functions from its inherited contracts to ensure specific behaviors.

function supportsInterface(bytes4 interfaceId) public view virtual override {...}
function _baseURI() internal view virtual override returns (string memory) {...}

Recommendations & Fixes

  1. Refund Mechanism:

    There is a potential issue in the refund mechanism where if the user sends more ether than the required price, it tries to refund the difference. If the refund transaction fails, the function reverts, causing the entire transaction to fail.

    Fix:

    Instead of reverting the transaction, log an event indicating the refund failure. This way, the primary purpose of the transaction (token minting) succeeds, and the user is informed of the refund issue.

    event RefundFailed(address user, uint256 amount);

if (msg.value > price) {
    (bool success, ) = msg.sender.call{value: (msg.value - price)}("");
    if (!success) emit RefundFailed(msg.sender, (msg.value - price));
}

  2. Snapshot Contract Initialization:

    The snapshotContract address is crucial for the allowlist claim mechanism. It might be beneficial to set this address in the constructor rather than a separate function to ensure it's always initialized.

    Fix:

    Modify the constructor to accept snapshotContract as a parameter and initialize it.

    constructor(address payable shareholderAddress_, address snapshotContract_) {...}
snapshotContract = snapshotContract_;

  3. Additional Comments:

    It might be helpful to add more comments throughout the contract, explaining the logic and purpose of each function, especially for complex mechanisms like the Dutch auction and allowlist claims.

Actionable Items:

  • Modify the refund mechanism to emit an event instead of reverting the entire transaction.
  • Initialize the snapshotContract address in the constructor.
  • Add detailed comments throughout the contract to provide clarity on the logic and functionality.

In conclusion, the Nakamigos contract offers a rich set of functionalities for NFT minting and management. The integration of both Dutch auction and allowlist claim mechanisms is especially interesting, catering to both open-market participants and EOS token holders. The identified issues and recommendations can enhance the contract's robustness and clarity.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment