shalbe-cvg
commented
1 year ago Hello, Thanks a lot for your attention.
First of all, these contracts were not labelled in the scope of this audit contest but we still decided to analyze your issue. We have decided to choose this design pattern on purpose.
We have so to consider this issue as Invalid.
Github username: @https://github.com/betharavikiran Submission hash (on-chain): 0x06d23155116ac69a69323002476512379ba7ffe5546b8958ea8c8e4608805eab Severity: medium
Description: Description\ The preseed granting should be allowed only during the PreSeed sales. But, the validation to grant preseed check if the sale is over, Until the sale is over, the grant for preseed is honored. This includes NOT_ACTIVE window as well.
Considering price differences between preseed and seed, the grant for preseed should be allowed only during the PRESEED state only.
The condition looks like a copy paste error.
Attack Scenario\ Grant preseed any time during the lifecycle until saleState is OVER opens for grants are preseed prices even when the phases was passed. The protocol should make a clear distintion between preseed and seed stages.
Attachments
This should be allowed only during PRESEED state.
function grantPreseed(address _wallet, uint256 _amount) external onlyOwner { // @audit, invalid condition require(saleState < SaleState.OVER, "PRESALE_ROUND_FINISHED"); _grantPreseed(_wallet, _amount); }
function grantPreseed(address _wallet, uint256 _amount) external onlyOwner { // @audit, invalid condition require(saleState == SaleState.PRESEED, "PRESALE_ROUND_FINISHED"); _grantPreseed(_wallet, _amount); }
Files: