Lack of Slippage Protection in Dynamic Pricing Mint Function

[howlbot-integration[bot]]

Lines of code

https://github.com/code-423n4/2024-07-traitforge/blob/279b2887e3d38bc219a05d332cbcb0655b2dc644/contracts/TraitForgeNft/TraitForgeNft.sol#L202-L225

Vulnerability details

Impact

The mintWithBudget function uses a dynamic pricing mechanism without implementing slippage protection. Given the specific pricing parameters, this can lead to users paying more than anticipated for their NFTs, especially for larger mints or mints occurring later in a generation. Specific impacts include:

• Unexpected cost increases for users, particularly for multi-NFT mints.
• Potential for users to receive fewer NFTs than expected if prices rise during minting.
• Possible transaction failures if the price increases beyond the user's budget, wasting gas.

Proof of Concept

The current implementation calculates the mint price for each NFT individually within the minting loop:

    uint256 mintPrice = calculateMintPrice();
    uint256 amountMinted = 0;
    uint256 budgetLeft = msg.value;

    while (budgetLeft >= mintPrice && _tokenIds < maxTokensPerGen) {
      _mintInternal(msg.sender, mintPrice);
      amountMinted++;
      budgetLeft -= mintPrice;
      mintPrice = calculateMintPrice();  // Price recalculated for each mint
    }
    // ...
}

function calculateMintPrice() public view returns (uint256) {
    uint256 currentGenMintCount = generationMintCounts[currentGeneration];
    uint256 priceIncrease = priceIncrement * currentGenMintCount;
    uint256 price = startPrice + priceIncrease;
    return price;
}

Consider the following scenario:

User calculates that they can mint 100 NFTs with a budget of 12.75 ETH when 5000 NFTs have been minted in the current generation.

• Initial price: 0.005 + (0.0000245 * 5000) = 0.1275 ETH per NFT
• Expected total: 100 * 0.1275 = 12.75 ETH
• Before the user's transaction is processed, another person mints 50 NFTs.
• When the user's transaction is processed, the new starting price is:
• 0.005 + (0.0000245 * 5050) = 0.128725 ETH
• The user attempts to mint with their 12.75 ETH budget:

They can now only mint 99 NFTs (12.75 / 0.128725 ≈ 99.04) Total cost for 99 NFTs: approximately 12.74 ETH Remaining 0.01 ETH is refunded

Actual outcome:

User receives 99 NFTs instead of the expected 100 The average price paid per NFT is higher than initially calculated

This scenario demonstrates how the lack of slippage protection in the dynamic pricing mechanism can lead to users receiving fewer NFTs than they anticipated or paying more per NFT than expected, due to price increases caused by other users' minting activities between the time of calculation and the transaction being processed.

Tools Used

manual view

Recommended Mitigation Steps

add slippage protection

Assessed type

Context

[c4-judge]

koolexcrypto changed the severity to 2 (Med Risk)

[c4-judge]

koolexcrypto marked the issue as not a duplicate

[c4-judge]

koolexcrypto marked the issue as primary issue

[c4-judge]

koolexcrypto marked the issue as selected for report