Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Denial of Service (DoS) in mintAndAuction for collection using Sale Mode 1: Fixed Price Sale #1505

Closed
c4-submissions opened this issue Nov 13, 2023 · 7 comments
Closed

Denial of Service (DoS) in mintAndAuction for collection using Sale Mode 1: Fixed Price Sale #1505

c4-submissions opened this issue Nov 13, 2023 · 7 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-1980 sufficient quality report This report is of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L276-L298
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L157-L166

Vulnerability details

Risk Level: High

  • Impact: High
  • Likelihood: Medium

Links to affected code:

Vulnerability details

Impact

Unable to create the auction for the collection using sales mode 1, Fixed Price Sale, as it leads to a division by zero error at Line 292.

292:     uint tDiff = (block.timestamp - timeOfLastMint) / collectionPhases[_collectionID].timePeriod;

Detail

The mintAndAuction function allows function admin to create one auction per period:

285:     if (lastMintDate[_collectionID] == 0) {
286:           // for public sale set the allowlist the same time as publicsale
287:           timeOfLastMint = collectionPhases[_collectionID].allowlistStartTime - collectionPhases[_collectionID].timePeriod;
288:     } else {
289:           timeOfLastMint =  lastMintDate[_collectionID];
290:     }
291:     // uint calculates if period has passed in order to allow minting
292:     uint tDiff = (block.timestamp - timeOfLastMint) / collectionPhases[_collectionID].timePeriod;
293:     // users are able to mint after a day passes
294:     require(tDiff>=1, "1 mint/period");
295:     lastMintDate[_collectionID] = collectionPhases[_collectionID].allowlistStartTime + (collectionPhases[_collectionID].timePeriod * (gencore.viewCirSupply(_collectionID) - 1));

However, the timePeriod used to calculate tDiff at Line 292 purposely refers to the time period that affects the minting price of collections using sale mode 2 or 3 (Exponential/Linear Descending Sale and Periodic Sale, respectively). This value is set to zero when the collection uses sale mode 1 (Fixed Price Sale).

NextGen-Fixed-Price-Sale

https://seize-io.gitbook.io/nextgen/nextgen-smart-contracts/minter

As a result, collections using sale mode 1 are unable to create auctions, as the calculation of tDiff will lead to a division by zero, causing the transaction to revert.

Proof of Concept

Assuming Collection ID: 1 is the target for the Proof of Concept (PoC):

  1. The admin assigns Collection ID: 1 to use Sale Model: 1, setting the rate and time period to 0.
  2. The admin attempts to create a token for auction in this collection by executing mintAndAuction with _collectionID as 1.
  3. The transaction reverts at Line 292 due to a division by zero error, as timePeriod is set to 0.

Tools Used

  • Hardhat
  • Manual Review

Recommended Mitigation Steps

Consider updating the mintAndAuction function to handle all possible scenarios.

Specifically, introduce a new variable, such as auctionTimePeriod, distinct from the timePeriod purposely used to calculate sale prices in sale mode 2 or 3.

This new variable will be specifically utilized within the context of the mintAndAuction function, ensuring accurate calculations and preventing division by zero errors for collections using sale mode 1.

Assessed type

DoS
@c4-submissions c4-submissions added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Nov 13, 2023
c4-submissions added a commit that referenced this issue Nov 13, 2023
@c4-submissions
Valix issue #1505
6e9bb02
@c4-pre-sort
Copy link

141345 marked the issue as sufficient quality report

@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Nov 16, 2023
@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #1278

@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #962

@c4-pre-sort c4-pre-sort reopened this Nov 27, 2023
@c4-pre-sort
Copy link

141345 marked the issue as not a duplicate

@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #1278

@c4-judge
Copy link

c4-judge commented Dec 6, 2023

alex-ppg marked the issue as duplicate of #1980

@c4-judge
Copy link

c4-judge commented Dec 8, 2023

alex-ppg marked the issue as unsatisfactory:
Overinflated severity

@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Dec 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-1980 sufficient quality report This report is of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@c4-judge @c4-pre-sort @c4-submissions