An incorrect index of the checkpoint is used when creating a Protected Listing because the tstore opcode is not emptied after the use.
Vulnerability Detail
The tstore opcode is temporary but not emptied after until the end of the transaction. Hence if a user creates multiple protectedListings in the same transaction the same checkpointIndex will be used for all the listings except the first.
POC
User creates a ProtectedListing the checkpoint is updated with the current checkpoint
User creates another ProtectedListing in the same transaction leading to the same checkpoint been used for listing 2
User can continuously do this and all subsequent listings will have the same checkpoint
Impact
The listing checkpoint index is used to calculate the unlock price of a user's NFT, as such this will result in listings with lower price.
Bright Emerald Fish
High
Incorrect index due to not emptying tstore
Summary
An incorrect index of the checkpoint is used when creating a Protected Listing because the tstore opcode is not emptied after the use.
Vulnerability Detail
The tstore opcode is temporary but not emptied after until the end of the transaction. Hence if a user creates multiple protectedListings in the same transaction the same checkpointIndex will be used for all the listings except the first.
POC
Impact
The listing checkpoint index is used to calculate the unlock price of a user's NFT, as such this will result in listings with lower price.
Code Snippet
In https://github.com/sherlock-audit/2024-08-flayer/blob/main/flayer/src/contracts/ProtectedListings.sol#L138
Tool used
Manual Review
Recommendation
Clear the tstore opcode after use/call.