Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NFT token mint can run out of gas when creating the auction if the nft founder founderPct numbers are very large. #67

Closed
code423n4 opened this issue Sep 8, 2022 · 1 comment
Closed

NFT token mint can run out of gas when creating the auction if the nft founder founderPct numbers are very large. #67

code423n4 opened this issue Sep 8, 2022 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-09-nouns-builder/blob/7e9fddbbacdd7d7812e912a369cfd862ee67dc03/src/auction/Auction.sol#L206
https://github.com/code-423n4/2022-09-nouns-builder/blob/7e9fddbbacdd7d7812e912a369cfd862ee67dc03/src/token/Token.sol#L113
https://github.com/code-423n4/2022-09-nouns-builder/blob/7e9fddbbacdd7d7812e912a369cfd862ee67dc03/src/token/Token.sol#L157

Vulnerability details

Impact

Detailed description of the impact of this finding.

when creating the auction, the auction contract first mint nft and hold the NFT then when the auction is settled, nft is transfered out to the user.

    /// @dev Creates an auction for the next token
    function _createAuction() private {
        // Get the next token available for bidding
        try token.mint() returns (uint256 tokenId) {

when token.mint() is called, the nft is supposed to be minted.

but when token.mint is called.

        // Cannot realistically overflow
        unchecked {
            do {
                // Get the next token to mint
                tokenId = settings.totalSupply++;

                // Lookup whether the token is for a founder, and mint accordingly if so
            } while (_isForFounder(tokenId));
        }

note this while loop,

while (_isForFounder(tokenId));

inside _isForFounder(tokenId)

    /// @dev Checks if a given token is for a founder and mints accordingly
    /// @param _tokenId The ERC-721 token id
    function _isForFounder(uint256 _tokenId) private returns (bool) {
        // Get the base token id
        uint256 baseTokenId = _tokenId % 100;

        // If there is no scheduled recipient:
        if (tokenRecipient[baseTokenId].wallet == address(0)) {
            return false;

            // Else if the founder is still vesting:
        } else if (block.timestamp < tokenRecipient[baseTokenId].vestExpiry) {
            // Mint the token to the founder
            _mint(tokenRecipient[baseTokenId].wallet, _tokenId);

            return true;

            // Else the founder has finished vesting:
        } else {
            // Remove them from future lookups
            delete tokenRecipient[baseTokenId];

            return false;
        }
    }

we check that if this nft token id belongs to the founder, we mint to founders,

We assign nft token id to founder in the _addFounder function

                // For each token to vest:
                for (uint256 j; j < founderPct; ++j) {
                    // Get the available token id
                    baseTokenId = _getNextTokenId(baseTokenId);

                    // Store the founder as the recipient
                    tokenRecipient[baseTokenId] = newFounder;

                    emit MintScheduled(baseTokenId, founderId, newFounder);

                    // Update the base token id
                    (baseTokenId += schedule) % 100;
                }

the FounderPct, can be 100 at most.

here is the key,

if token id from 0 - 99 all belongs to founder,

then if a user create auction and call mint, he has to pay the gas to mint 100 nft for the founders.

minting nft for 100 times is either very expensive, gas consuming or the transaction is running out of gas.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

Note in the test

https://github.com/code-423n4/2022-09-nouns-builder/blob/7e9fddbbacdd7d7812e912a369cfd862ee67dc03/test/utils/NounsBuilderTest.sol#L84

    function setMockFounderParams() internal virtual {
        address[] memory wallets = new address[](2);
        uint256[] memory percents = new uint256[](2);
        uint256[] memory vestingEnds = new uint256[](2);

        wallets[0] = founder;
        wallets[1] = founder2;

        percents[0] = 10;
        percents[1] = 5;

        vestingEnds[0] = 4 weeks;
        vestingEnds[1] = 4 weeks;

        setFounderParams(wallets, percents, vestingEnds);
    }

the founder1 owns 10 nft out of 100, founder2 owns 5 nft out of 100.

We can modify the test as our POC.

we change 10 and 5 to 50 and 50

 function setMockFounderParams() internal virtual {
        address[] memory wallets = new address[](2);
        uint256[] memory percents = new uint256[](2);
        uint256[] memory vestingEnds = new uint256[](2);

        wallets[0] = founder;
        wallets[1] = founder2;

        percents[0] = 50;
        percents[1] = 50;

        vestingEnds[0] = 4 weeks;
        vestingEnds[1] = 4 weeks;

        setFounderParams(wallets, percents, vestingEnds);
    }

in Token.t.sol,

https://github.com/code-423n4/2022-09-nouns-builder/blob/main/test/Token.t.sol

add the import

import "forge-std/console.sol";

and the test

    function test_FounderSettings_POC() public {

        deployMock();

        TokenTypesV1.Founder[] memory founderSettings = token.getFounders();

        for(uint256 i; i < founderSettings.length; ++i) {
            console.log('founder wallet', founderSettings[i].wallet);
            console.log('ownership pct', founderSettings[i].ownershipPct);
            console.log('vest expiry', founderSettings[i].vestExpiry);
            console.log("");
        }
    }

we run

forge test -vv --match FounderSettings_POC

the result is

Running 1 test for test/Token.t.sol:TokenTest
[PASS] test_FounderSettings_POC() (gas: 2834475)
Logs:
  founder wallet 0xd3562Fd10840f6bA56112927f7996B7c16edFCc1
  ownership pct 50
  vest expiry 2419200

  founder wallet 0xA7cBf566E80C4A1Df2C4aE965c79FB087f25E4bF
  ownership pct 50
  vest expiry 2419200

this is expect.

we can run

 forge test -vvvv --match FounderSettings_POC

to track the event emissioned.

we see

emit MintScheduled(baseTokenId: 0, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))    
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 2, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))    
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 4, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))    
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 6, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))    
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 8, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))    
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 10, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 12, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 14, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 16, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 18, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 20, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 22, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 24, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 26, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 28, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 30, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 32, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 34, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 36, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 38, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 40, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 42, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 44, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 46, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 48, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 50, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 52, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 54, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 56, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 58, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 60, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 62, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 64, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 66, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 68, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 70, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 72, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 74, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 76, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 78, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 80, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 82, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 84, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 86, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 88, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 90, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 92, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 94, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 96, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 98, founderId: 0, founder: (0xd3562fd10840f6ba56112927f7996b7c16edfcc1, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 1, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))    
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 3, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))    
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 5, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))    
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 7, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))    
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 9, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))    
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 11, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 13, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 15, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 17, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 19, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 21, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 23, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 25, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 27, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 29, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 31, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 33, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 35, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 37, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 39, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 41, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 43, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 45, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 47, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 49, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 51, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 53, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 55, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 57, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 59, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 61, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 63, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 65, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 67, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 69, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 71, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 73, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 75, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 77, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 79, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 81, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 83, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 85, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 87, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 89, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 91, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 93, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 95, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 97, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))   
    │   │   │   │   ├─ emit MintScheduled(baseTokenId: 99, founderId: 1, founder: (0xa7cbf566e80c4a1df2c4ae965c79fb087f25e4bf, 50, 2419200))

this shows that nft id 0 - 99 and belongs to founders and need to be minted before the nft is minted for auction.
this means, that user creation auction and call mint, he has to mint 100 nft token for founders.

Tools Used

Foundry
Manual Review

Recommended Mitigation Steps

we can set limit on founderPct

or when adding founders,

instead of % 100, we recommend using a large number, such as % 1000.

Or we can build a separate smart contract for founder nft distriubtion.

we can say,

for every nft id that is % 10 = 0,

mint nft to a founder nft distribution contract,

then nft founder can claim the nft.
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Sep 8, 2022
code423n4 added a commit that referenced this issue Sep 8, 2022
@code423n4
ladboy233 issue #67
1152b97
@GalloDaSballo
Copy link
Collaborator

Dup of #347

@GalloDaSballo GalloDaSballo added the duplicate This issue or pull request already exists label Sep 20, 2022
@JeeberC4 JeeberC4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Oct 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@GalloDaSballo @code423n4 @JeeberC4