search

code-423n4 / 2022-12-escher-findings

0 stars 0 forks source link

If very few NFTs have been sold `saleReceiver` will have to buy all remaining NFT to retrieve the contract funds. #528

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-12-escher/blob/5d8be6aa0e8634fdb2f328b99076b0d05fefab73/src/minters/LPDA.sol#L81-L89

Vulnerability details

Impact

If very few NFTs have been sold saleReceiver will have to buy all remaining NFTs if he want to get the funds that he obtained during the mint period.

Fortunately, It is still possible to mint NFT after temp.endTime because the following check is not done in LPDA.buy: require(block.timestamp < temp.endTime, "TOO LATE");

But, still, it could be very expensive to buy all the remaining Ids.

Proof of Concept

LPDA.sol#L81-L89

        if (newId == temp.finalId) {
            sale.finalPrice = uint80(price);
            uint256 totalSale = price * amountSold;
            uint256 fee = totalSale / 20;
            ISaleFactory(factory).feeReceiver().transfer(fee);
            temp.saleReceiver.transfer(totalSale - fee);
            _end();
        }

Tools Used

Manual Review.

Recommended Mitigation Steps

I recommend using the same mecanism as in OpenEdition contract with finalize.

c4-judge commented 1 year ago

berndartmueller marked the issue as duplicate of #328

c4-judge commented 1 year ago

berndartmueller marked the issue as satisfactory