search

code-423n4 / 2023-10-nextgen-findings

5 stars 3 forks source link

No time input validation #2033

Closed c4-submissions closed 10 months ago

c4-submissions commented 10 months ago

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L170

Vulnerability details

Impact

IN the function setCollectionPhases, there is no time check for if _allowlistStartTime < _allowlistEndTime and _allowlistStartTime < _publicEndTime as it is used for comparisons in many placed

Proof of Concept

In the function mint in same contract, there is a check for if (block.timestamp >= collectionPhases[col].allowlistStartTime && block.timestamp <= collectionPhases[col].allowlistEndTime) { and same also in the burnOrSwapExternalToMint and this means wrong input of data can cause DOS for functions where allowlistStartTime > allowlistEndTime and allowlistStartTime > publicEndTime

Tools Used

Manual Review

Recommended Mitigation Steps

Add check for times, to ensure, the allowlistStartTime and publicStartTime are always less than both allowlistEndTime and publicEndTime.

Assessed type

DoS

c4-pre-sort commented 10 months ago

141345 marked the issue as duplicate of #478

c4-judge commented 10 months ago

alex-ppg marked the issue as not a duplicate

c4-judge commented 10 months ago

alex-ppg marked the issue as primary issue

c4-judge commented 10 months ago

alex-ppg marked issue #588 as primary and marked this issue as a duplicate of 588

c4-judge commented 10 months ago

alex-ppg changed the severity to QA (Quality Assurance)

c4-judge commented 9 months ago

alex-ppg marked the issue as grade-c