Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mintAndAuction can't be called for collections that are using sales model 1 #285

Closed
c4-submissions opened this issue Nov 4, 2023 · 6 comments
Closed

mintAndAuction can't be called for collections that are using sales model 1 #285

c4-submissions opened this issue Nov 4, 2023 · 6 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-1980 edited-by-warden unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@c4-submissions
Copy link
Contributor

c4-submissions commented Nov 4, 2023
edited by code4rena-admin
Loading

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/hardhat/smart-contracts/MinterContract.sol#L292

Vulnerability details

Impact

mintAndAuction allows admins to mint a token, in a collection, per period and then start an auction on it. This ability should always be available to admins, regardless of the sales model used by the collection.

From the docs:

Fixed Price Sale
The minting cost is fixed during the minting phase. The rate and time period need to be set to 0 as they do not affect the price.

So if a collection is using sales model 1, the timePeriod should be set to 0. When mintAndAuction is called on a collection that uses sales model 1, it will revert on uint tDiff = (block.timestamp - timeOfLastMint) / collectionPhases[_collectionID].timePeriod; as it will be diving by 0. Blocking admins from the ability to "mint and auction".

Proof of Concept

context("my context", async () => {
  let globalCollectionId = 1;

  it("bug", async () => {
    // Helpers //
    const {
      hhCore: NextGenCore,
      hhAdmin: NextGenAdmins,
      hhMinter: Minter,
      hhRandomizer: Randomizer,
      hhAuction: Auction,
    } = contracts;
    const { owner, addr1: bob, addr2: alice, addr3: greg } = signers;
    const _1ETH = BigInt(1000000000000000000);
    const _0_1ETH = BigInt(100000000000000000);
    const _0_2ETH = BigInt(200000000000000000);
    const _0_3ETH = BigInt(300000000000000000);

    const now = async () => {
      return (await ethers.provider.getBlock()).timestamp;
    };

    const createCollection = async (collectionAdmin, maxSupply) => {
      const collectionID = globalCollectionId++;
      await NextGenCore.connect(owner).createCollection(
        `Test Collection ${collectionID}`,
        `Artist ${collectionID}`,
        "For testing",
        "www.test.com",
        "CCO",
        "https://ipfs.io/ipfs/hash/",
        "",
        ["desc"],
      );
      await NextGenAdmins.connect(owner).registerCollectionAdmin(collectionID, collectionAdmin.address, true);
      await NextGenCore.connect(collectionAdmin).setCollectionData(
        collectionID, // _collectionID
        collectionAdmin.address, // _collectionArtistAddress
        3, // _maxCollectionPurchases
        maxSupply, // _collectionTotalSupply
        0, // _setFinalSupplyTimeAfterMint
      );
      await Minter.connect(collectionAdmin).setCollectionCosts(
        collectionID, // _collectionID
        _1ETH, // _collectionMintCost 1 eth
        _0_1ETH, // _collectionEndMintCost 0.1 eth
        0, // _rate
        0, // _timePeriod
        1, // _salesOptions
        collectionAdmin.address, // delAddress
      );
      await Minter.connect(collectionAdmin).setCollectionPhases(
        collectionID, // _collectionID
        await now(), // _allowlistStartTime
        (await now()) + 10000, // _allowlistEndTime
        await now(), // _publicStartTime
        (await now()) + 10000, // _publicEndTime
        "0x8e3c1713145650ce646f7eccd42c4541ecee8f07040fc1ac36fe071bbfebb870", // _merkleRoot
      );
      await NextGenCore.addRandomizer(collectionID, Randomizer);
      return collectionID;
    };

    // Actual test //
    await NextGenCore.connect(owner).addMinterContract(Minter.target);

    const bobCollectionId = await createCollection(bob, 5);

    await expect(Minter.connect(owner).mintAndAuction(
      owner.address,
      '{"tdh": "100"}',
      2,
      bobCollectionId,
      (await now()) + 10000,
    )).to.be.reverted;
  })
})

Tools Used

Manual review + vscode

Recommended Mitigation Steps

Have a fallback time period or make collection time period a require (>0) parameter.

Assessed type

DoS
@c4-submissions c4-submissions added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Nov 4, 2023
c4-submissions added a commit that referenced this issue Nov 4, 2023
@c4-submissions
0xAlix2 issue #285
18cd7fd
@code4rena-admin code4rena-admin changed the title mintAndAuction can't be called for on collections that are using sales model 1 mintAndAuction can't be called for collections that are using sales model 1 Nov 4, 2023
@c4-bot-2 c4-bot-2 removed the 3 (High Risk) Assets can be stolen/lost/compromised directly label Nov 5, 2023
@code4rena-admin code4rena-admin added the 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value label Nov 5, 2023
@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #1278

@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #962

@c4-pre-sort
Copy link

141345 marked the issue as not a duplicate

@c4-pre-sort c4-pre-sort reopened this Nov 27, 2023
@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #1278

@c4-judge
Copy link

c4-judge commented Dec 6, 2023

alex-ppg marked the issue as duplicate of #1980

@c4-judge c4-judge added duplicate-1980 unsatisfactory does not satisfy C4 submission criteria; not eligible for awards and removed duplicate-1278 labels Dec 6, 2023
@c4-judge
Copy link

c4-judge commented Dec 8, 2023

alex-ppg marked the issue as unsatisfactory:
Overinflated severity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-1980 edited-by-warden unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@c4-judge @c4-pre-sort @c4-submissions @code4rena-admin @c4-bot-2