Platform: Code4rena
Start Date: 11/08/2022
Pot Size: $40,000 USDC
Total HM: 8
Participants: 108
Period: 4 days
Judge: hickuphh3
Total Solo HM: 2
Id: 152
League: ETH
Rank: 66/108
Findings: 1
Award: $42.83
π Selected for report: 0
π Solo Findings: 0
π Selected for report: itsmeSTYJ
Also found by: 0x1f8b, 0x52, 0xDjango, Ch_301, Chom, KIntern_NA, PwnedNoMore, Treasure-Seeker, auditor0517, byndooa, cccz, csanuragjain, ladboy233, nine9, shenwilly, thank_you, yixxas, zkhorse
42.8343 USDC - $42.83
The users could lose their rights to mint all the limitPerAccount or some of them
If any user buys these NFTs from the secondary market or just he minted with another address and then transfers it to this address. In these cases, this user canβt bypass this check
File: /main/contracts/mixins/nftDropMarket/NFTDropMarketFixedPriceSale.sol if (IERC721(nftContract).balanceOf(msg.sender) + count > saleConfig.limitPerAccount) { if (saleConfig.limitPerAccount == 0) { // Provide a more targeted error if the collection has not been listed. revert NFTDropMarketFixedPriceSale_Must_Have_Sale_In_Progress(); } revert NFTDropMarketFixedPriceSale_Cannot_Buy_More_Than_Limit(saleConfig.limitPerAccount); }
even though he never mint in this collections
Add check to inquire about their NFTs come from or check if he achieves the limitPerAccount by minting not just check the balanceOf(msg.sender)
#0 - 0xlgtm
2022-08-17T03:53:39Z
This issue overlaps with the issue of "bypass account limits" but I'm not entirely sure if the warden is trying to highlight that based on how this issue is worded.
#1 - HardlyDifficult
2022-08-17T20:55:06Z
It's a different scenario perspective on the same root cause. I feel it's a dupe but not opposed to tracking these separately.
Dupe of https://github.com/code-423n4/2022-08-foundation-findings/issues/59
#2 - HickupHH3
2022-08-26T08:18:49Z
Agreed. Different perspective on the same issue. Keeping it marked as a dup.