NFT buyer can abuse the mompool and mint NFT of specific collection at lowest price #566
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
edited-by-warden
insufficient quality report
This report is not of sufficient quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Comments
c4-submissions
added
2 (Med Risk)
|
141345 marked the issue as duplicate of #478 |
|
141345 marked the issue as not a duplicate |
|
141345 marked the issue as insufficient quality report |
c4-pre-sort
added
the
insufficient quality report
|
The Warden specifies a situation whereby a savvy buyer can wait until a collection's supply is close to exhaustion in a price-decreasing model to purchase it close to the end for a profit which aligns with the project's specification. |
c4-judge
added
the
unsatisfactory
|
alex-ppg marked the issue as unsatisfactory: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/MinterContract.sol#L157-L166
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/MinterContract.sol#L170-L177
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/MinterContract.sol#L540-L563
Vulnerability details
Impact
NFT buyer can abuse the mompool and mint NFT of specific collection at lowest price.
Proof of Concept
setCollectionData._collectionTotalSupplyandmaxCollectionPurchases).setCollectionCostsand sets the minting costs for collection#1.rate,timeperiod,salesOption)setCollectionPhasesand sets collection timing for collection#1 (phases).allowlistStartTimeandpublicEndTime).Now imagine salesOption is 2, and timestamp is between
allowStartTimeandpublicEndTime, so Bob knows in this case the price is decreasing during time (see MinterContract#getPrice() function), and also he knows how much supply is available (totalSupply minus circulatingSupply) and also he knows how many NFTs can be minted per address (because Bob knowsmaxCollectionPurchases), he waits until other people have bought all the others NFTs and he buys the latest NFTs at lowest price.Another situation that can be assumed is that a a lot of users are familiar with this scenario and all of them will wait until the price is as low as possible (when we approach to the
publicEndTime, we realize that the price has reached its lowest price).Tools Used
Manual Review
Recommended Mitigation Steps
Consider adding a workaround which prevents against this scenraio, but here i suggest a workaround that maybe useful:
If one of the parameters being invisible (making variable
privaterather than public), no one is able to abuse this scenario.Assessed type
Other
The text was updated successfully, but these errors were encountered: