Incorrect price calculation for edge case #986
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-564
🤖_03_group
AI based duplicate group recommendation
satisfactory
satisfies C4 submission criteria; eligible for awards
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-07-traitforge/blob/279b2887e3d38bc219a05d332cbcb0655b2dc644/contracts/TraitForgeNft/TraitForgeNft.sol#L227-L232
https://github.com/code-423n4/2024-07-traitforge/blob/279b2887e3d38bc219a05d332cbcb0655b2dc644/contracts/TraitForgeNft/TraitForgeNft.sol#L181-L200
Vulnerability details
Impact
According to the
calculateMintPrice()
, the first NFT in each generation will be minted with pricestartPrice
. But the actual price for first NFT in each generation isstartPrice + priceIncrement * maxTokensPerGen
. The miner has to pay more funds than expected.Proof of Concept
The same vulnerability happens in mintToken() and mintWithBudget(). Let's take mintToken() as one example:
The first NFT in generation 0 price: startPrice
The second NFT in generation 0 price: startPrice + priceIncrement
...
The 100000th NFT in generation 0 price: startPrice + priceIncrement * 99999
The next one should be the first NFT in generation 2, expected price should be startPrice, but actual price is
startPrice + priceIncrement * 100000
The vulnerability is that we calculate this new NFT's price and then we calculated which generation this NFT belongs to.
We should calculate this newly NFT's generation, and then calculate this NFT's price.
Tools Used
Manual
Recommended Mitigation Steps
Calculate newly NFT's generation and then calculate newly NFT's price.
Assessed type
Error
The text was updated successfully, but these errors were encountered: