_saleState check can be bypassed in Presale contract

[hats-bug-reporter[bot]]

Github username: @JeffCX Submission hash (on-chain): 0x36354c97d8241dec945aa6679eb21d7598d3e2498421080cf934feaf661d5f93 Severity: medium

Description: Description\

_saleState check can be bypassed in Presale contract

Attack Scenario\

In PresaleCvg.sol contract when calling investMint

we are validating if the sales start and if the sales finish in this line of code

    function investMint(bytes32[] calldata _merkleProof, uint256 _amount, bool _isDai, uint256 _type) external {
        SaleState _saleState = saleState;

        require(_saleState > SaleState.NOT_ACTIVE, "PRESALE_NOT_STARTED");
        require(_saleState < SaleState.OVER, "PRESALE_ROUND_FINISHED");

However, there is no such check in the function refillToken

this means the token and sales amount can be refilled and updated even after the sale finishes which is not to other user that faithfully compete the sales

Attachments

1. Proof of Concept (PoC) File

user can just investMint with a tiny amout and refillToken even after the sales finishes

2. Revised Code File (Optional)

validate sales state in the function reillTOken as well

[shalbe-cvg]

Hello, Thanks a lot for your attention.

First of all, this contract was not labelled in the scope of this audit contest but we still decided to analyze your issue. After examination, no more CVG tokens could be minted through this after presale has ended. In the case where someone refills his NFT token later on, we have already prepared an extra amount of CVG tokens to put on this contract.

The fact that we didn't add this check on this function was on purpose. We have so to consider this issue as Invalid.