taxCut is a non-constant variable, being set to 10% on deploy. It has a setTaxCut() function which allows the taxCut value to be changed at any time by the contract owner. The taxCut amount is used on three places through the protocol:
1) In NukeFund::receive() upon receiving ETH the taxCut is calculated and send to the Dev/DAO Fund.
2) In EntityTrading::buyNFT() upon buying a NFT the nukeFundContribution variable represents the taxCut end value that is being transfered to the nukeFund address.
3) In EntityForging::forgeWithListed() upon forging a NFT the devFee variable represents the taxCut end value that is being transfered to the nukeFund address.
The taxCut calculation may work with the current value set on deploying of the contracts which is 10% but if changed in the future by the contract owner it will return wrong values making the protocol/seller receiving less or more fees depending of the taxCut value being set.
1) Alice wants to buy 1 NFT which price is 1 ETH.
2) The current tax 10% is calculated like this:
a) uint256 nukeFundContribution = msg.value / taxCut; --> 1 ETH / 10 =0.1ETH
Everything looks good, but lets say that the tax is being changed to e.g 20%
b) uint256 nukeFundContribution = msg.value / taxCut --> 1 ETH / 20 =0.05ETH
But if we use the formula for calculating percentages ,(x*p)/100 where p = taxCut(20%) the calculation will look like this: (1 ETH * 20) / 100 =0.2ETH
We have a difference of 0.15 ETH in favor of the nukeFund address and the seller of the NFT will receive less ETH than intended
Tools Used
Manual Review
Recommended Mitigation Steps
Change the calculation of the taxCut with this formula: (msg.value * taxCut)/100
Lines of code
https://github.com/code-423n4/2024-07-traitforge/blob/279b2887e3d38bc219a05d332cbcb0655b2dc644/contracts/EntityForging/EntityForging.sol#L146 https://github.com/code-423n4/2024-07-traitforge/blob/279b2887e3d38bc219a05d332cbcb0655b2dc644/contracts/EntityTrading/EntityTrading.sol#L72 https://github.com/code-423n4/2024-07-traitforge/blob/279b2887e3d38bc219a05d332cbcb0655b2dc644/contracts/NukeFund/NukeFund.sol#L41
Vulnerability details
Impact
taxCut
is a non-constant variable, being set to10%
on deploy. It has asetTaxCut()
function which allows thetaxCut
value to be changed at any time by the contract owner. ThetaxCut
amount is used on three places through the protocol: 1) InNukeFund::receive()
upon receiving ETH thetaxCut
is calculated and send to the Dev/DAO Fund. 2) InEntityTrading::buyNFT()
upon buying a NFT thenukeFundContribution
variable represents thetaxCut
end value that is being transfered to thenukeFund
address. 3) InEntityForging::forgeWithListed()
upon forging a NFT thedevFee
variable represents thetaxCut
end value that is being transfered to thenukeFund
address.The
taxCut
calculation may work with the current value set on deploying of the contracts which is10%
but if changed in the future by the contract owner it will return wrong values making the protocol/seller receiving less or more fees depending of thetaxCut
value being set.NukeFund.sol::receive()
EntityTrading.sol::buyNFT()
EntityForging.sol::forgeWithListed()
Proof of Concept
Lets see the following example:
1) Alice wants to buy 1 NFT which price is
1 ETH
. 2) The current tax10%
is calculated like this: a)uint256 nukeFundContribution = msg.value / taxCut;
--> 1 ETH / 10 =0.1ETH
Everything looks good, but lets say that the tax is being changed to e.g20%
b) uint256 nukeFundContribution = msg.value / taxCut --> 1 ETH / 20 =
0.05ETH
But if we use the formula for calculating percentages ,(x*p)/100
wherep = taxCut(20%)
the calculation will look like this: (1 ETH * 20) / 100 =0.2ETH
We have a difference of 0.15 ETH in favor of the nukeFund address and the seller of the NFT will receive less ETH than intended
Tools Used
Manual Review
Recommended Mitigation Steps
Change the calculation of the
taxCut
with this formula: (msg.value * taxCut)/100Assessed type
Math