ArtGobblers.sol#L411 : mintLegendaryGobbler can be executed without gobblerIds also

[code423n4]

Lines of code

https://github.com/code-423n4/2022-09-artgobblers/blob/d2087c5a8a6a4f1b9784520e7fe75afa3a9cbdbe/src/ArtGobblers.sol#L411-L420

Vulnerability details

Impact

The function mintLegendaryGobbler can be called without any gobblerIds as well.

Proof of Concept

https://github.com/code-423n4/2022-09-artgobblers/blob/d2087c5a8a6a4f1b9784520e7fe75afa3a9cbdbe/src/ArtGobblers.sol#L411-L471.

to mint the legendary gobbler in the function mintLegendaryGobbler, the line ArtGobblers.sol#L418 calculates the cost. uint256 cost = legendaryGobblerPrice();

The cost could be zero, when we look at the line https://github.com/code-423n4/2022-09-artgobblers/blob/d2087c5a8a6a4f1b9784520e7fe75afa3a9cbdbe/src/ArtGobblers.sol#L497 from function legendaryGobblerPrice

If cost is zero, then the validation check in line https://github.com/code-423n4/2022-09-artgobblers/blob/d2087c5a8a6a4f1b9784520e7fe75afa3a9cbdbe/src/ArtGobblers.sol#L420 will not revert when gobblerIds is not passed. technically the condition check could be if( 0 < 0 ) - this will return false so the revert will not be executed.

So, the user can call the function even without gobblerIds - https://github.com/code-423n4/2022-09-artgobblers/blob/d2087c5a8a6a4f1b9784520e7fe75afa3a9cbdbe/src/ArtGobblers.sol#L411 when the cost is zero.

Tools Used

Manual code review - VS code

Recommended Mitigation Steps

Validating the the cost or checking the gobblerIds is suggested.

[zobront]

If the cost returns 0, it means the Legendary Auction interval has expired, and the intention is to be able to mint at a price of 0 (with no NFT IDs passed).

[GalloDaSballo]

With the information I have avaialble, VRGDA will go from start to end, if start is meant to go to 0, that's intended behaviour.

In this specific instance we can purchase a legendary gobbler for 0, this doesn't seem to create any issue.

If anything you'd expect people to purchase before this happens