- Total Prize Pool: $20,000 in USDC
- HM awards: $15,900 in USDC
- QA awards: $700 in USDC
- Judge awards: $1,700 in USDC
- Validators awards: $1,200 in USDC
- Scout awards: $500 in USDC
- Join C4 Discord to register
- Submit findings using the C4 form
- Read our guidelines for more details
- Starts May 22, 2024 20:00 UTC
- Ends May 27, 2024 20:00 UTC
The 4naly3er report can be found here.
Note for C4 wardens: Anything included in this Automated Findings / Publicly Known Issues section is considered a publicly known issue and is ineligible for awards.
Munchables is a GameFi project with a twist.
The objective of the game is to earn as many Munch Points as possible. In crypto terms, you could call this "point farming".
Built on top of Blast, Munchables leverages the unique on-chain primitives to create a reward-filled journey.
Players collect Munchables and keep them safe, fed and comfortable in their snuggery.
Once in a snuggery, a Munchable can start earning rewards for that player.
A variety of factors influence the rewards earned, so players will have to be smart when choosing which Munchables to put in their snuggery and the strategies they use to play the game.
- Previous audits: We are currently working with Nethermind. The audit is not complete yet. All issues they have found have already been implemented though.
- Documentation: /guides/*.md
- Website: https://www.munchables.app/
- X/Twitter: https://twitter.com/_munchables_
- Discord: https://discord.com/invite/munchables
See scope.txt
| File | Logic Contracts | Interfaces | SLOC | Purpose | Libraries used |
|---|---|---|---|---|---|
| /src/managers/LockManager.sol | 1 | **** | 413 | @openzeppelin/contracts/token/ERC20/ERC20.sol, @openzeppelin/contracts/utils/ReentrancyGuard.sol | |
| Totals | 1 | **** | 413 |
See out_of_scope.txt
| File |
|---|
| ./src/config/BaseConfigStorage.sol |
| ./src/config/BaseConfigStorageUpgradeable.sol |
| ./src/config/ConfigStorage.sol |
| ./src/distributors/FundTreasuryDistributor.sol |
| ./src/interfaces/IAccountManager.sol |
| ./src/interfaces/IBaseBlastManager.sol |
| ./src/interfaces/IBlast.sol |
| ./src/interfaces/IBonusManager.sol |
| ./src/interfaces/IClaimManager.sol |
| ./src/interfaces/IConfigNotifiable.sol |
| ./src/interfaces/IConfigStorage.sol |
| ./src/interfaces/IDistributor.sol |
| ./src/interfaces/IERC20YieldClaimable.sol |
| ./src/interfaces/IHoldsGovernorship.sol |
| ./src/interfaces/ILockManager.sol |
| ./src/interfaces/IMigrationManager.sol |
| ./src/interfaces/IMunchNFT.sol |
| ./src/interfaces/IMunchToken.sol |
| ./src/interfaces/IMunchadexManager.sol |
| ./src/interfaces/INFTAttributesManager.sol |
| ./src/interfaces/INFTOverlord.sol |
| ./src/interfaces/IPrimordialManager.sol |
| ./src/interfaces/IRNGProxy.sol |
| ./src/interfaces/IRNGProxySelfHosted.sol |
| ./src/interfaces/IRewardsManager.sol |
| ./src/interfaces/ISnuggeryManager.sol |
| ./src/libraries/MunchablesCommonLib.sol |
| ./src/libraries/SignatureVerifier.sol |
| ./src/managers/AccountManager.sol |
| ./src/managers/BaseBlastManager.sol |
| ./src/managers/BaseBlastManagerUpgradeable.sol |
| ./src/managers/BonusManager.sol |
| ./src/managers/ClaimManager.sol |
| ./src/managers/MigrationManager.sol |
| ./src/managers/MunchadexManager.sol |
| ./src/managers/NFTAttributeManagerV1.sol |
| ./src/managers/PrimordialManager.sol |
| ./src/managers/RewardsManager.sol |
| ./src/managers/SnuggeryManager.sol |
| ./src/mock/MockAccountManager.sol |
| ./src/mock/MockBlast.sol |
| ./src/mock/MockClaimManager.sol |
| ./src/mock/MockConfigNotifiable.sol |
| ./src/mock/MockLockManager.sol |
| ./src/mock/MockMigrationManager.sol |
| ./src/mock/MockMunchNFT.sol |
| ./src/mock/MockMunchadexManager.sol |
| ./src/mock/MockNFTAttributeManagerV1.sol |
| ./src/mock/MockNFTOverlord.sol |
| ./src/mock/MockPrimordialManager.sol |
| ./src/mock/MockRNGProxy.sol |
| ./src/mock/MockRNGRequester.sol |
| ./src/mock/MockRewardsManager.sol |
| ./src/mock/MockSnuggeryManager.sol |
| ./src/overlords/NFTOverlord.sol |
| ./src/proxy/ProxyFactory.sol |
| ./src/rng/BaseRNGProxy.sol |
| ./src/rng/RNGProxyAPI3.sol |
| ./src/rng/RNGProxySelfHosted.sol |
| ./src/test/ClaimGas.sol |
| ./src/test/ClaimYield.t.sol |
| ./src/test/MigrationManager.t.sol |
| ./src/test/MunchablesTest.sol |
| ./src/test/SpeedRun.t.sol |
| ./src/test/SwapRewardsManager.sol |
| ./src/tokens/MunchNFT.sol |
| ./src/tokens/MunchToken.sol |
| ./src/tokens/OldMunchNFT.sol |
| ./src/tokens/TestERC20Token.sol |
| Totals: 69 |
| Question | Answer |
|---|---|
| ERC20 used by the protocol | USDB, WETH, (assume we can add more to the future for use in LockManager) |
| ERC721 used by the protocol | No |
| ERC777 used by the protocol | No |
| ERC1155 used by the protocol | No |
| Chains the protocol will be deployed on | Blast Mainnet |
| Question | Answer |
|---|---|
| Enabling/disabling fees (e.g. Blur disables/enables fees) | No |
| Pausability (e.g. Uniswap pool gets paused) | No |
| Upgradeability (e.g. Uniswap gets upgraded) | No |
N/A
- Assume onlyAdmin can only be called by the admin
- Assume all price feed roles are set by us
- Assume it's intentional that setLockDuration resets all of the existing lock token durations.
The most important thing is that funds cannot get locked forever, people cannot take other people's funds, and that people cannot reduce lockup times that are previously set.
N/A
N/A
pnpm i
pnpm build
pnpm test
# If you would like to see additional granular documentation, you can check it out by running this:
pnpm serve:docMost of the relevant tests for this contest are in typescript under tests/managers/LockManager/*.test.ts
See slither.txt
Employees of Munchables and employees' family members are ineligible to participate in this audit.