search

metaplex-foundation / sugar

Candy Machine Rust CLI.
Apache License 2.0
205 stars 117 forks source link

[Bug]: Potential issue with whitelist mints #289

Closed 0xJohnnyboy closed 2 years ago

0xJohnnyboy commented 2 years ago

Issue description

Hi, I set up a test CM in mainnet with a whitelist mint with those settings:

{
  "price": 1,
  "number": 25,
  "gatekeeper": null,
  "creators": [
    {
      "address": "6WzAZ5BdVo3YtwwBvBTiTNysUhtKxCVTxzSM7AoRCLWc",
      "share": 100
    }
  ],
  "solTreasuryAccount": null,
  "splTokenAccount": "8ncq2nGqN2kMn3Cc6ADS6x2uGEZ48YXJtQsXagHSkc3b",
  "splToken": "EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v",
  "goLiveDate": "21 Jul 2022 20:00:00 +0000",
  "endSettings": null,
  "whitelistMintSettings": {
    "mode": "burnEveryTime",
    "mint": "WL7STrgdAbmFPdDMZrX6QimR1CsdLKrPj7xCvwSVwu3",
    "presale": true,
    "discountPrice": null
},
  "hiddenSettings": null,
  "uploadMethod": "shdw",
  "retainAuthority": true,
  "isMutable": true,
  "symbol": "USGT",
  "sellerFeeBasisPoints": 800,
  "awsS3Bucket": null,
  "nftStorageAuthToken": null,
  "shdwStorageAccount": "EUkV9nmfMM4CzxYAQMpNpwKWgMXFBSTYP8KmMfburPj9"
}

The token has been created with the following instructions

solana-keygen grind --starts-with WL:1
spl-token create-token {ADDRESS.JSON} --decimals=0
spl-token create-account {ADDRESS.JSON}
spl-token mint {ADDRESS} {AMOUNT}

We were trying out to mint with the UI we generated, and we noticed that the "remaining items" count suddenly dropped by 2.

Someone managed to mint our NFTs, without having to burn the whitelist token. Here is the Tx by the unknown minter.

Here is one of our Txs.

You can see that the 5th step starts for us with "#5.1 Burn", with the address of the WL token.

5.1 Burn

Interact With Token Program -TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DAicon copy Input Accounts Account 9zb7aNiS8xar4K45NuotESU1bmfHeed6EKtcSat5F75Cicon copyWritable Amount 1 Authority AiyvHBEzAANokpK3eEUBDzbAYYbWqpUmFzRG3nFDP4Rbicon copyWritableSignerFee Payer Mint WL7STrgdAbmFPdDMZrX6QimR1CsdLKrPj7xCvwSVwu3icon copy

On the other transaction, there is "#5.1 Token Transfer" directly.

5.1 Token Transfer

Interact With Token Program -TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DAicon copy Input Accounts Source EWoWngd2MqqWE29ndzQ13FUVAimMmgm3tL2YuqFFKqJ5icon copyWritable Destination 8ncq2nGqN2kMn3Cc6ADS6x2uGEZ48YXJtQsXagHSkc3bicon copyWritable Authority 7SkdwF83hds7qbbRfYyxUNFNWTbTBi8Pgz35KEdM7Jazicon copyWritableSignerFee Payer Amount 1 USDCicon copy

How is this possible ? By chance, we were only doing some tests, but did I miss something ? I suspect this is a bot scanning for new CM deployed on mainnet, but how was it able to bypass the WL token ? It paid the $USDC 2, and the NFTs are marked as "test" so no real harm here but I'm glad it didn't happen on the real ones.

Relevant log output

No response

Priority this issue should have

High (immediate attention needed)

febo commented 2 years ago

Your candy machine seems to be live (public sale), so anyone can mint without a whitelist token. If you want to restrict the mint only to whitelist users before the goLiveDate (presale), you need to set the goLiveDate to a date in the future. Another alternative is to restrict the mint only to whitelist users, then use "presale": false in combination with "discountPrice": null.

Other combinations are detailed in the docs here:

0xJohnnyboy commented 2 years ago

Ok my bad then, once again. I think I went too fast on this (I saw "mode has been simplified" in the docs and got to the next step), and was tricked by the UI button that was still disabled without the WL token.

Totally forgot about these sections in the documentation, I'll make a PR on the docs to link this section.

Thanks for you fast reply 🙏 I'm closing