Closed c4-submissions closed 7 months ago
141345 marked the issue as duplicate of #632
alex-ppg marked the issue as duplicate of #881
alex-ppg marked the issue as duplicate of #2012
alex-ppg changed the severity to 3 (High Risk)
alex-ppg marked the issue as partial-50
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L249-L252
Vulnerability details
Summary
lastMintDate[col]
is set to be higher than expected, which can lead to the minting process being blocked for some time.Vulnerability Details
In the
mint
function in theMintContract
if thesalesOption
of the collection is set to 3 then we can only mint 1 token per period. This is the expression used to calculate when thelastMintDate[col]
was:However if we airdrop tokens the
circulatingSupply
increases and so does thelastMintDate
. So now if 1 time period has passed and someone tries to mint, he won't be able to do it.Proof of Concept
Add this test to
nextGen.test.js
and runnpx hardhat test
, also at the top of the test file add: (const { loadFixture, time } = require("@nomicfoundation/hardhat-toolbox/network-helpers")
)In this test we see that after we airdrop some tokens we were able to mint the first time because of the check:
However when we try to mint the second time, we weren't able to since the circulating supply now is 101 tokens and
lastMintDate
is calculated as followed:1699993193 + 200 * 101 (102 tokens since the supply first increases - 1 from the formula) = 1 700 013 393
but we try to mint at time1699993193 + 202 = 1 699 993 395(this is expected time and should be able to mint)
Impact
Blocks the mint function and users are not able to mint tokens as expected
Tools Used
VS Code, Hardhat, Manual Review
Recommended Mitigation Steps
I would recommend changing the way
lastMintDate
variable is calculated. The first time we mint it needs to be thecollectionPhases[col].allowlistStartTime + collectionPhases[col].timePeriod
and after that just addtimePeriod
every time a new mint happens.Assessed type
Math