Platform: Code4rena
Start Date: 20/09/2022
Pot Size: $100,000 USDC
Total HM: 4
Participants: 109
Period: 7 days
Judge: GalloDaSballo
Id: 163
League: ETH
Rank: 10/109
Findings: 2
Award: $2,830.23
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: wagmi
Also found by: 0x52, CertoraInc, Lambda, RaymondFam, arcoun
The amount of gobblers owned by the address minting the legendary gobbler is incorrect, showing that the user owns 1 more gobbler than they do
getUserData[msg.sender].gobblersOwned = uint32(getUserData[msg.sender].gobblersOwned - cost + 1);
In ArtGobblers.sol#L458 the cost of the legendary gobbler is subtracted and 1 is added to account for the new legendary gobbler being minted.
_mint(msg.sender, gobblerId);
Later in L469 _mint is called which increments the number of gobblers owned again. This results in the number of gobbler stored for the user being incorrect. This causes GobblersERC721.sol#balanceOf to return the incorrect value and any contract or integration that makes use of this data will be given incorrect data.
Manual Review
Since _mint already takes care of adding to owner count, L458 should be rewritten as follows:
getUserData[msg.sender].gobblersOwned = uint32(getUserData[msg.sender].gobblersOwned - cost);
#0 - Shungy
2022-09-28T18:41:55Z
#1 - GalloDaSballo
2022-09-29T20:36:03Z
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x4non, 0x52, 0x5rings, 0xNazgul, 0xRobocop, 0xSmartContract, 0xdeadbeef, 0xsanson, 8olidity, Amithuddar, Aymen0909, B2, B353N, CertoraInc, Ch_301, Chom, CodingNameKiki, Deivitto, ElKu, Funen, JC, JohnnyTime, Kresh, Lambda, Noah3o6, RaymondFam, ReyAdmirado, RockingMiles, Rolezn, Sm4rty, SuldaanBeegsi, Tadashi, TomJ, Tomio, V_B, Waze, __141345__, a12jmx, ak1, arcoun, asutorufos, aviggiano, berndartmueller, bharg4v, bin2chen, brgltd, bulej93, c3phas, catchup, cccz, ch0bu, cryptonue, cryptphi, csanuragjain, delfin454000, devtooligan, djxploit, durianSausage, eighty, erictee, exd0tpy, fatherOfBlocks, giovannidisiena, hansfriese, ignacio, joestakey, ladboy233, lukris02, m9800, malinariy, martin, minhtrng, obront, oyc_109, pedr02b2, pedroais, pfapostol, philogy, prasantgupta52, rbserver, ronnyx2017, rotcivegaf, rvierdiiev, sach1r0, shung, simon135, throttle, tnevler, tonisives, wagmi, yixxas, zkhorse, zzykxx, zzzitron
55.1985 USDC - $55.20
Detailed description of the impact of this finding.
uint256 timeSinceStart = block.timestamp - mintStart; return getVRGDAPrice(toDaysWadUnsafe(timeSinceStart), numMintedFromGoo);
ArtGobblers.sol#gobblerPrice calculates time starting from mintStart to use when queuing price from VRGDA.
gobblerRevealsData.nextRevealTimestamp = uint64(_mintStart + 1 days);
The emissionMultiple for each gobbler isn't set until reveal which happens at a minimum of 1 day after mintStart (set in the constructor). For the day between minting and revealing, the VRGDA curve is effectively trying to mint the gobblers but no one has goo because the reveal hasn't assigned the emissionMultiples. The VRGDA curve is designed so that it targets a high number of gobblers that first day and the pricing is set to change the price of gobblers extremely aggressively. The combination of these 3 factors will make so that when users finally get goo, the prices of all the gobblers that should have been minted the first day will be next to nothing.
Manual Review
L399 should be changed to make it so that gobblers can be bought until a minimum of 1 day after mintStart, to compensate for the reveal timing:
uint256 timeSinceStart = block.timestamp - mintStart + 1 days;
#0 - Shungy
2022-09-27T21:08:48Z
the prices of all the gobblers that should have been minted the first day will be next to nothing.
1 day delay would decrease the price by 31% only. So it does not seem like a big deal. Although the recommendation seems like an improvement, this is definitely not a High Risk issue.
#1 - GalloDaSballo
2022-10-09T21:43:02Z
I think this finding is the perfect example of needing a POC.
I'm not sure what to do with this but I'll have to code a tool to help me figure out what happens with 1 day of delay.
Because the finding is limited to 1 day, there's also no possibility this will be a High Severity finding
#2 - GalloDaSballo
2022-10-09T22:51:02Z
I think this finding is logically equivalent to saying that the first Mint is discounted.
We technically have no way of claiming this is cause for economic loss, as the tokens are minted via Goo which can be obtained for free.
However, I think the finding is valid.
Because the "loss" is a discount for Day 1. And technically can be avoided by changing a deployment parameter.
I think Low Severity to be more appropriate
#3 - GalloDaSballo
2022-10-09T22:51:04Z
L