Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

In the sales of decreaing price, token price may jump to the initial high price at the end time of the sale. #395

Closed
c4-submissions opened this issue Nov 6, 2023 · 2 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-1275 partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%)

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L540

Vulnerability details

Impact

The buyers who buy tokens at the end of the sale may not buy or buy tokens at unexpected high prices.

Proof of Concept

If salesOption==2, the selling price of token decreases linearly or exponentially with time.
In the decreaing price sale, the buyer will want to buy a token at the end of the sales period to buy token as cheaply as possible if tokens have no fear of being sold all before the deadline.
However, by the following code in the MinterContract.sol#getPrice function, the price of token will jump to the initial selling price at the end of the sale.

File: MinterContract.sol
540:        } else if (collectionPhases[_collectionId].salesOption == 2 && block.timestamp > collectionPhases[_collectionId].allowlistStartTime && block.timestamp < collectionPhases[_collectionId].publicEndTime){

That is when block.timestamp == collectionPhases[_collectionId].publicEndTime, an initial price, not a decreased price, is applied.

Here is the reproducing scenario.

  1. Let suppose that total amount of tokens of a collection is 100, initial price is 1000, decrease rate is 30, timePeriod is one hour and sales period is one day.
  2. The expected price at the end of sales is 1000 - 30 * 23 = 310.
  3. A buyer attempts to buy token by calling the MinterContract.sol#mint function at just the end time of sales.
  4. Because MinterContract.sol#getPrice jumps to 1000 at the end of sales, the buyer does not buy tokens or buys tokens at the high price of 1000 eth.

Tools Used

Manual Review

Recommended Mitigation Steps

In MinterContract.sol#L540 modify < with <= as follows.

File: MinterContract.sol
540: -       } else if (collectionPhases[_collectionId].salesOption == 2 && block.timestamp > collectionPhases[_collectionId].allowlistStartTime && block.timestamp < collectionPhases[_collectionId].publicEndTime){
540: +       } else if (collectionPhases[_collectionId].salesOption == 2 && block.timestamp > collectionPhases[_collectionId].allowlistStartTime && block.timestamp <= collectionPhases[_collectionId].publicEndTime){

Assessed type

Math

@c4-submissions c4-submissions added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Nov 6, 2023
c4-submissions added a commit that referenced this issue Nov 6, 2023
@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #1391

@c4-judge
Copy link

c4-judge commented Dec 8, 2023

alex-ppg marked the issue as partial-50

@c4-judge c4-judge added the partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%) label Dec 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-1275 partial-50 Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Projects
None yet
Development

No branches or pull requests

3 participants