# Nftmarketplace Audit ## Info - Auditor: Mohamed Boukri. ## Disclaimers ## Issues ## Lazy1155.sol ### The royality fee is controlled by the owner [CRITICAL] **Description** The owner can set any value in fee variable..This means that the owner may not change it in accordance with what was agreed on with the community.This represent a big risk on the user side. **File(s)** * `contracts/Lazy1155.sol` (L1530) **Recommendation** We recommend to limit the fee value by adding a require statement. ### LazyMint Implementation[High] **Description** Lazy Minting is a way to defer to the normal minting until right before the NFT is sold. This way, buyers pay the minting fee after their NFT is sold, making NFT creation affordable and equitable for creators. The `_lazymint` function in this contract does not respect this logic. **File(s)** * `Lazy1155.sol` (L1547) **Recommendation** We recommend to modify this function to go with the Lazy mint logic ### Floating Pragma [LOW] **Description** The contract makes use of the floating-point pragma 0.8.0. Contracts should be deployed using the same compiler version and flags that were used during the testing process. Locking the pragma helps ensuring that contracts are not unintentionally deployed using another pragma, such as an obsolete version that may introduce issues in the contract system. **File(s)** * `contracts/Lazy1155.sol` (L6) **Recommendation** Consider locking the pragma version. It is advised that floating pragma should not be used in production. Both truffle-config.js and hardhat.config.js support locking the pragma version. ### For Loop Over Dynamic Array [LOW] **Description** When smart contracts are deployed or their associated functions are invoked, the execution of these operations always consumes a certain quantity of gas, according to the amount of computation required to accomplish them. Modifying an unknown-size array that grows in size over time can result in a Denial of Service attack. Simply by having an excessively huge array, users can exceed the gas limit, therefore preventing the transaction from ever succeeding. **File(s)** * `contracts/Lazy1155.sol` (L973,L1109,L1230,L1306) **Recommendation** Avoid actions that involve looping across the entire data structure. If you really must loop over an array of unknown size, arrange for it to consume many blocs and thus multiple transactions. ## Lazy721.sol ### The royality fee is controlled by the owner [CRITICAL] **Description** The owner can set any value in fee variable..This means that the owner may not change it in accordance with what was agreed on with the community.This represent a big risk on the user side. **File(s)** * `contracts/Lazy721.sol` (L1567) **Recommendation** We recommend to limit the fee value by adding a require statement. ### LazyMint implementation[High] **Description** Lazy Minting is a way to defer to the normal minting until right before the NFT is sold. This way, buyers pay the minting fee after their NFT is sold, making NFT creation affordable and equitable for creators. The `_lazymint` function in this contract is the same as `_mint`. **File(s)** * `Lazy721.sol` (1288) **Recommendation** We recommend to modify this function to go with the Lazy mint logic. ### Floating Pragma [LOW] **Description** The contract makes use of the floating-point pragma 0.8.0. Contracts should be deployed using the same compiler version and flags that were used during the testing process. Locking the pragma helps ensuring that contracts are not unintentionally deployed using another pragma, such as an obsolete version that may introduce issues in the contract system. **File(s)** * `contracts/Lazy721.sol` (L6) **Recommendation** Consider locking the pragma version. It is advised that floating pragma not be used in production.Both truffle-config.js and hardhat.config.js support locking the pragma version. ### For Loop Over Dynamic Array [LOW] **Description** When smart contracts are deployed or their associated functions are invoked, the execution of these operations always consumes a certain quantity of gas, according to the amount of computation required to accomplish them. Modifying an unknown-size array that grows in size over time can result in a Denial of Service attack. Simply by having an excessively huge array, users can exceed the gas limit, therefore preventing the transaction from ever succeeding. **File(s)** * `contracts/Lazy721.sol` (L1689) **Recommendation** Avoid actions that involve looping across the entire data structure. If you really must loop over an array of unknown size, arrange for it to consume many blocs and thus multiple transactions. ## ERC1967Upgrade.sol ### Floating Pragma [Low] **Description** The contract makes use of the floating-point pragma 0.8.2 . Contracts should be deployed using the same compiler version and flags that were used during the testing process.Locking the pragma helps ensure that contracts are not unintentionally deployed using another pragma, such as an obsolete version, that may introduce issues in the contract system. **File(s)** * `utils/ERC1967Upgrade.sol` (L3) **Recommendation** Consider locking the pragma version. It is advised that floating pragma should not be used in production. Both truffle-config.js and hardhat.config.js support locking the pragma version. ### _upgradeToAndCallSecure [Info] **Description** In openzeppelin-contracts, the function `_upgradeToAndCallSecure` was renamed to `_upgradeToAndCallUUPS`, along with the change in security mechanism, the implementation was changed too **File(s)** * `ERC1967Upgrade.sol` (L76) **Recommendation** We recommend to change this function with `_upgradeToAndCallUUPS` ## StorageSlot.sol ### Floating Pragma [Low] **Description** The contract makes use of the floating-point pragma 0.8.0. Contracts should be deployed using the same compiler version and flags that were used during the testing process. Locking the pragma helps ensuring that contracts are not unintentionally deployed using another pragma, such as an obsolete version that may introduce issues in the contract system. **File(s)** * `utils/storageSlot.sol` (L3) **Recommendation** Consider locking the pragma version. It is advised that floating pragma should not be used in production. Both truffle-config.js and hardhat.config.js support locking the pragma version. ## IBeacon.sol ### Floating Pragma [Low] **Description** The contract makes use of the floating-point pragma 0.8.0. Contracts should be deployed using the same compiler version and flags that were used during the testing process. Locking the pragma helps ensuring that contracts are not unintentionally deployed using another pragma, such as an obsolete version that may introduce issues in the contract system. **File(s)** * `utils/IBeacon.sol` (L3) **Recommendation** Consider locking the pragma version. It is advised that floating pragma should not be used in production. Both truffle-config.js and hardhat.config.js support locking the pragma version. ## ERC1967Proxy.sol ### Floating Pragma [Low] **Description** The contract makes use of the floating-point pragma 0.8.0. Contracts should be deployed using the same compiler version and flags that were used during the testing process. Locking the pragma helps ensuring that contracts are not unintentionally deployed using another pragma, such as an obsolete version that may introduce issues in the contract system. **File(s)** * `utils/ERC1967Proxy.sol` (L3) **Recommendation** Consider locking the pragma version. It is advised that floating pragma should not be used in production. Both truffle-config.js and hardhat.config.js support locking the pragma version. ## TransparentUpgradeableProxy.sol ### Floating Pragma [Low] **Description** The contract makes use of the floating-point pragma 0.8.0. Contracts should be deployed using the same compiler version and flags that were used during the testing process. Locking the pragma helps ensuring that contracts are not unintentionally deployed using another pragma, such as an obsolete version that may introduce issues in the contract system. **File(s)** * `TransparentUpgradeableProxy.sol` (L3) **Recommendation** Consider locking the pragma version. It is advised that floating pragma should not be used in production. Both truffle-config.js and hardhat.config.js support locking the pragma version. ## Best practices ### Public Function Can Be Called External[Low] **Description** Functions with a public scope that are not called inside the contract should be declared external to reduce the gas fees **File(s)** * `Lazy721.sol` (1673) * `Lazy721.sol` (1687) * `Lazy721.sol` (1698) * `Lazy721.sol` (1701) * `Lazy721.sol` (1704) * `Lazy721.sol` (1708) * `Lazy1155.sol` (1614) * `Lazy1155.sol` (1627) * `Lazy1155.sol` (1630) * `Lazy1155.sol` (1633) * `Lazy1155.sol` (1635) * `Lazy1155.sol` (1640) ### Presence of unused code **Description** The program contains code that is not essential for execution, i.e, makes no state changes and has no side effects that alter data or control flow, such that removal of the code would have no impact on functionality or correctness , `Context.\_msgData()` is never used and should be removed **File(s)** * `Lazy721.sol` (L493) * `Lazy721.sol` (L552) * `Lazy1155.sol` (L23)