Platform: Code4rena
Start Date: 03/05/2022
Pot Size: $30,000 USDC
Total HM: 6
Participants: 93
Period: 3 days
Judge: gzeon
Id: 118
League: ETH
Rank: 78/93
Findings: 1
Award: $30.28
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: defsec
Also found by: 0v3rf10w, 0x1f8b, 0x4non, 0x52, 0xDjango, 0xf15ers, 0xkatana, 0xliumin, AuditsAreUS, BowTiedWardens, CertoraInc, Cr4ckM3, Funen, GimelSec, Hawkeye, IllIllI, Kulk0, M0ndoHEHE, MaratCerby, Picodes, Ruhum, TerrierLover, TrungOre, VAD37, WatchPug, berndartmueller, broccolirob, catchup, cccz, cryptphi, csanuragjain, delfin454000, dirk_y, eccentricexit, ellahi, fatherOfBlocks, gzeon, hake, hansfriese, hickuphh3, horsefacts, hubble, hyh, ilan, joestakey, kebabsec, kenta, kenzo, leastwood, m9800, marximimus, minhquanym, oyc_109, p4st13r4, pauliax, pedroais, peritoflores, plotchy, rajatbeladiya, reassor, rfa, robee, rotcivegaf, samruna, shenwilly, shung, simon135, sorrynotsorry, sseefried, teddav, throttle, tintin, unforgiven, z3s
30.2807 USDC - $30.28
setFinalPrice() should just set final price to lowest price to avoid any mistakes. It is only triggered DA doesn't sell out which means setFinalPrice should always be set to lowest anyways
functions adjusting DA price parameters should either be locked after start of auction or ensure that the current price after change is either less than or equal to the current price before the change. If the current price ever increases as a result and the final price ends up being higher than the price paid by even one user then the issueRefunds function breaks due to an negative number for that user when calling refundOwed.
assuming correctly set DA parameters check is redundant and can never be triggered because of check in L279-281
incorrect variable description, says "Tracks total count of NFTs claimed by a given address" but this is not true. It is simply a bool that tracks whether the address has claimed yet. Should be "Tracks if a given address minted in the claimlist"