Price is equal to collectionMintCost
at the end of sale for salesOption == 2
#1439
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-1275
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L540
Vulnerability details
Vulnerability Details
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L540
getPrice
checks for<
when comparing withblock.timestamp
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L221
mint
checks for<=
It means that at the last second of the sale the price will be
collectionMintCost
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L566
return collectionPhases[_collectionId].collectionMintCost;
Impact
Impossible to buy at the last second for the
collectionEndMintCost
Users who wished to buy at the last second for the lowest price won't be able to do it
Integration problems are possible when 3rd party requests
getPrice
because the price will suddenly spike at the last second. E.g. bots who try to buy at the last second and requestgetPrice
will massively overpayProof of Concept
Put the test file below to
hardhat/tests/fileName.test.js
and runnpx hardhat test test/fileName.test.js
Tools Used
Manual review
Recommended Mitigation Steps
Use
<
,>
and<=
,>=
consistently. Either strict or non-strict in all the relevant places.Assessed type
Math
The text was updated successfully, but these errors were encountered: