Mint legendary gobbler with unrevealed gobblers #152
Labels
bug
Something isn't working
duplicate
This issue or pull request already exists
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Comments
code423n4
added
2 (Med Risk)
|
Duplicate: #363 |
GalloDaSballo
added
QA (Quality Assurance)
|
L |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/ArtGobblers.sol#L439
https://github.com/code-423n4/2022-09-artgobblers/blob/d2087c5a8a6a4f1b9784520e7fe75afa3a9cbdbe/src/ArtGobblers.sol#L650
Vulnerability details
Impact
Detailed description of the impact of this finding.
If a gobbler is not yet revealed and is used to mint a legendary gobbler then its potential emissionMultiple will not be accounted on the final emissionMultiple of the legendary gobbler LoC 439
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
The emissionMultiple of a gobbler is set during the reveal phase LoC 650
For example if a user uses a not revealed gobbler on the mintLegendaryGobbler(gobblerIds) function the potential emissionMultiple of this gobbler will not be accounted. Therefore, reducing the potential goo balance of the user.
Tools Used
Manual review
Recommended Mitigation Steps
Only allow revealed gobblers to be used for minting a legendary gobbler, for example adding a require( getGobblerData[id].emissionMultiple != 0 )
The text was updated successfully, but these errors were encountered: