In the sales of decreaing price, token price may jump to the initial high price at the end time of the sale. #395
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-1275
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L540
Vulnerability details
Impact
The buyers who buy tokens at the end of the sale may not buy or buy tokens at unexpected high prices.
Proof of Concept
If
salesOption==2
, the selling price of token decreases linearly or exponentially with time.In the decreaing price sale, the buyer will want to buy a token at the end of the sales period to buy token as cheaply as possible if tokens have no fear of being sold all before the deadline.
However, by the following code in the
MinterContract.sol#getPrice
function, the price of token will jump to the initial selling price at the end of the sale.That is when
block.timestamp == collectionPhases[_collectionId].publicEndTime
, an initial price, not a decreased price, is applied.Here is the reproducing scenario.
timePeriod
is one hour and sales period is one day.1000 - 30 * 23 = 310
.MinterContract.sol#mint
function at just the end time of sales.MinterContract.sol#getPrice
jumps to1000
at the end of sales, the buyer does not buy tokens or buys tokens at the high price of1000
eth.Tools Used
Manual Review
Recommended Mitigation Steps
In
MinterContract.sol#L540
modify<
with<=
as follows.Assessed type
Math
The text was updated successfully, but these errors were encountered: