c4-judge
commented
1 year ago berndartmueller changed the severity to QA (Quality Assurance)
Closed code423n4 closed 1 year ago
c4-judge
commented
1 year ago berndartmueller changed the severity to QA (Quality Assurance)
c4-judge
commented
1 year ago berndartmueller marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2022-12-escher/blob/main/src/minters/LPDA.sol#L92
Vulnerability details
Impact
LPDA.cancelis anownerprotected function which can only be invoked beforesale.startTime.But this function can be invoked multiple times by the
ownerresulting in multiple invalidEndevent emission. Off-chain agents heavily rely on smart contract events so any unintended event emission can be used to trick off-chain elements which can cause loss of assets to the protocol.Proof of Concept
sale.startTimetheownercalls thecancelfunction.sale.startTimetheownercalls thecancelfunction again. The transaction gets executed successfully.cancelcan be successfully executed any number of time byowner.Tools Used
Manual review
Recommended Mitigation Steps
Consider adding checks which validate that
cancelcan be invoked only once.