Omniscia Mantissa Finance Audit
Marketplace Manual Review Findings
Marketplace Manual Review Findings
MEC-01M: Inexistent Initialization Protection of Base Implementation
| Type | Severity | Location |
|---|---|---|
| Language Specific |  | Marketplace.sol:L14 |
Description:
The contract is meant to be upgradeable yet does not properly protect its logic deployment from malicious initializations.
Example:
14contract Marketplace is Initializable, Ownable, Pausable, ReentrancyGuard {Recommendation:
We advise a constructor to be introduced that either invokes the initializer modifier of the Initializable contract or invokes the Initializable::_disableInitializers function to prevent the base implementation from ever being initialized.
Alleviation (418ee413ad8e26f7eea383764c19953ff31b2bf3):
The Mantissa Finance evaluated this exhibit and stated that they wish to acknowledge it and that they will ensure the logic deployments are properly initialized whenever they are deployed.
MEC-02M: Inexistent Enforcement of Bid Steps
| Type | Severity | Location |
|---|---|---|
| Logical Fault |  | Marketplace.sol:L200 |
Description:
The Marketplace auction system will permit a user to outbid another by a negligible difference of 1 wei that is valueless in most token denominations.
Impact:
The current bidding system is relatively unfair as it incentivizes on-chain race conditions towards the end of an auction rather than a "true" auction process.
Example:
188function makeAuctionBid(189 address seller,190 uint256 lid,191 address token,192 uint256 amount // 6 decimals193) external notWhitelisted isAllowedToken(token) whenNotPaused nonReentrant {194 Listing memory listing = listings[seller][lid];195 require(listing.veMntAmount > 0 && !listing.sold && listing.isAuction, "Not a valid listing");196 require(block.timestamp > listing.startTime, "Not Started");197 require(block.timestamp < listing.endTime, "Auction Ended");198 Bid memory bid = bids[seller][lid];199 uint256 currentBidAmount = bid.amount;200 require(amount >= listing.minPrice && amount > currentBidAmount, "Amount too low");201 if (currentBidAmount > 0) {202 uint256 currentTokenAmount = (currentBidAmount * (10 ** IERC20(bid.token).decimals())) / 1e6;203 IERC20(bid.token).safeTransfer(bid.bidder, currentTokenAmount);204 }205 uint256 tokenAmount = (amount * (10 ** IERC20(token).decimals())) / 1e6;206 IERC20(token).safeTransferFrom(msg.sender, address(this), tokenAmount);207 bids[seller][lid] = Bid({208 bidder: msg.sender,209 token: token,210 amount: amount,211 bidAt: block.timestamp212 });213 emit AuctionBid(seller, lid, msg.sender, token, amount);214}Recommendation:
We advise the creator of an auction to be able to configure a minimum step which bids should differ by, ensuring a better auction system and avoiding on-chain race conditions towards the end of an auction which would allow someone to outbid another trivially.
Alleviation (418ee413ad):
A contract-wide minBidInterval has been introduced to the codebase that needs to be satisfied by any consecutive bids, alleviating this exhibit and ensuring that bid increments are meaningful.
While the current solution has alleviated this exhibit, we would recommend the bid interval to be configurable per auction rather than per the contract thus offering greater flexibility to users of the Marketplace.
Alleviation (5482fabf5b):
The Mantissa Finance team evaluated our recommended course of action and has opted to retain the contract-wide step configuration system to ensure the marketplace is simple to use and to prevent users from circumventing the bid step limits. As such, we consider the exhibit fully alleviated to the greatest extent possible per the business requirements of the Mantissa Finance team.