Incorrect calculation of the price of each new generation first NFT #4
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-564
edited-by-warden
🤖_primary
AI based primary recommendation
🤖_03_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-07-traitforge/blob/main/contracts/TraitForgeNft/TraitForgeNft.sol#L181-L200
Vulnerability details
Impact
The TraitForge protocol supports multiple generations, (10 at the beginning) and each generation can have 10_000 NFTs(this value is hardcoded in the TraitForgeNft cotnract. The price of each NFT is calculated in the calculateMintPrice() function. The first NFT costs 0.005 ETH this is the startPrice and each subsequent one rises linearly by 0.0000245 ETH this is the priceIncrement. After 10_000 NFTs are minted the priceIncrement is increased by the priceIncrementByGen which is 0.000005 ETH. The second generation NFTs cost should start from 0.005 ETH again, and increase linearly this time by 0.0000245 + 0.000005 = 0.0000295 ETH. As described in the docs: 10,000 “Gen 1” entities are available to mint. The first starts at 0.005 ETH and each subsequent one rises linearly by 0.0000245 ETH until the final is 0.25 ETH. In total if all are minted then 1,275 ETH is raised in Generation 1. Each generation’s price increment increases by 0.000005. However this is not the case. As we can see in the mintToken() function:
First calculateMintPrice() function is called to calculate the mint price:
Then_mintInternal() function is called where it is checked whether the generation should be increased or not, and then the NFT is minted.
When users have minted 10_000 NFTs of the first generation, when the next user tries to mint the 1st NFT of the second generation, the calculateMintPrice() function will calculate the mint price as follows:
Thus the user will have to pay 0.25 ETH for the first NFT of the second generation instead of 0.005 ETH, which is 50 times more expensive. This will occur for each first NFT of a generation, whether users have forged NFTs previously doesn't matter. Currently the protocol has 10 generations, however they have mentioned in the docs that they intend to increase this number, as the protocol progresses. This miscalculation may defer users from buying the first NFT of the second generation, and thus only the first generation of NFTs will be minted which results in a loss for the protocol, as part of the funds are distributed to the devs and owner.
Proof of Concept
Gist
After completing the steps in the above mentioned gist add the following test to the
AuditorTests.t.sol
file:To run the test use:
forge test -vvv --mt test_WrongPriceCalculation
Tools Used
Manual review & Foundry
Recommended Mitigation Steps
Consider calculating the price of an NFT in the _mintInternal() function after the check for whether a generation should be increased or not is performed:
Assessed type
Context
The text was updated successfully, but these errors were encountered: