Platform: Code4rena
Start Date: 11/08/2022
Pot Size: $40,000 USDC
Total HM: 8
Participants: 108
Period: 4 days
Judge: hickuphh3
Total Solo HM: 2
Id: 152
League: ETH
Rank: 8/108
Findings: 3
Award: $1,239.89
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: itsmeSTYJ
Also found by: 0x1f8b, 0x52, 0xDjango, Ch_301, Chom, KIntern_NA, PwnedNoMore, Treasure-Seeker, auditor0517, byndooa, cccz, csanuragjain, ladboy233, nine9, shenwilly, thank_you, yixxas, zkhorse
42.8343 USDC - $42.83
User can bypass mint limit
if (IERC721(nftContract).balanceOf(msg.sender) + count > saleConfig.limitPerAccount) {
L183 only checks the current balance of msg.sender, not the actual number of nfts that they have minted. This allows the user to mint, send the nfts to another address then mint more.
Add a mapping that stores the number of nfts a user has minted from a specific contract and update it when a user mints:
mapping(address => mapping(address => uint256)) mintCount;
#0 - HardlyDifficult
2022-08-17T20:58:30Z
🌟 Selected for report: Lambda
Also found by: 0x52, KIntern_NA
Other royalty recipients don't receive their share
First royalty recipient can cheat other out of their share by setting their royalty >100%. Because of the short circuit in L485 the first creator will be sent all royalties if any of the recipients are >100%.
Instead of breaking the entire loop, creatorShares should be set to 0 for recipients with royalty > 10000
#0 - HardlyDifficult
2022-08-17T07:34:34Z
🌟 Selected for report: Saw-mon_and_Natalie
Also found by: 0x1f8b, 0x52, 0xDjango, 0xNazgul, 0xSmartContract, 0xSolus, 0xackermann, 0xmatt, 0xsolstars, Aymen0909, Bnke0x0, Chom, Deivitto, DevABDee, Dravee, ElKu, IllIllI, JC, Kumpa, Lambda, LeoS, MiloTruck, PwnedNoMore, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, TomJ, Treasure-Seeker, Vexjon, Waze, Yiko, __141345__, apostle0x01, auditor0517, berndartmueller, bin2chen, bobirichman, brgltd, bulej93, c3phas, carlitox477, cccz, cryptphi, csanuragjain, d3e4, danb, delfin454000, durianSausage, erictee, fatherOfBlocks, gogo, iamwhitelights, joestakey, jonatascm, ladboy233, mics, oyc_109, rbserver, ret2basic, robee, rokinot, rvierdiiev, shenwilly, sikorico, simon135, thank_you, wagmi, yash90, zeesaw, zkhorse
41.2563 USDC - $41.26
https://github.com/code-423n4/2022-08-foundation/blob/792e00df429b0df9ee5d909a0a5a6e72bd07cf79/contracts/mixins/shared/MarketFees.sol#L231-L271 https://github.com/code-423n4/2022-08-foundation/blob/792e00df429b0df9ee5d909a0a5a6e72bd07cf79/contracts/mixins/shared/MarketFees.sol#L279-L332
Fees do not match fees specified by contract owner
try IRoyaltyInfo(nftContract).royaltyInfo{ gas: READ_ONLY_GAS_LIMIT }(tokenId, BASIS_POINTS) returns ( address receiver, uint256 /* royaltyAmount */
MarketFees.sol is designed to support any generic contract that adheres to certain interfaces. One of those interfaces is EIP-2981, however, MarketFees.sol is not fully compliant because it fails to take the proper amount of royalties. EIP-2981 specifically supports the ability for variable fees. When referencing this, MarketFees.sol disregards the amount and sends a standard fee.
When using EIP-2981 compliant methods, the amount of the royalty should be passed out rather than the split.
#0 - HardlyDifficult
2022-08-17T07:15:31Z
#1 - HickupHH3
2022-08-26T04:51:09Z
Warden's primary QA