Platform: Code4rena
Start Date: 06/12/2022
Pot Size: $36,500 USDC
Total HM: 16
Participants: 119
Period: 3 days
Judge: berndartmueller
Total Solo HM: 2
Id: 189
League: ETH
Rank: 22/119
Findings: 2
Award: $162.91
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: ForkEth
Also found by: CRYP70, Ch_301, Chom, Lambda, adriro, csanuragjain, minhquanym
131.7499 USDC - $131.75
According to the provided documentation in the GitHub repository, we have for the variable endTime in LPDA:
endTime: the ending time in unix of the sale
Therefore, it should not be possible to buy tokens after this time, as the sale has ended. However, this is not checked, it is only checked that the time is greater than the start time:
require(block.timestamp >= temp.startTime, "TOO SOON");
Therefore, it is possible to buy tokens after the end time for the final price.
Let's say an auction starts at time $t$ and has an end time of time $t + 3600$. The price at time $t$ is 1 ETH and at time $t + 3600$, it is 0.5 ETH. At time $t + 3800$, it should no longer be possible to buy NFTs, as the sale has ended. However, a user can still buy tokens for 0.5 ETH then, as long as the final ID was not reached.
Disallow buying tokens after the end time.
#0 - c4-judge
2022-12-13T16:59:13Z
berndartmueller marked the issue as duplicate of #474
#1 - c4-judge
2023-01-02T20:31:10Z
berndartmueller marked the issue as satisfactory
🌟 Selected for report: 0xSmartContract
Also found by: 0x1f8b, 0x4non, 0xA5DF, 0xNazgul, 0xRobocop, 0xfuje, Bnke0x0, HollaDieWaldfee, Lambda, RaymondFam, TomJ, _Adam, adriro, ajtra, carrotsmuggler, cccz, danyams, gasperpre, hansfriese, helios, immeas, joestakey, ladboy233, nameruse, obront, oyc_109, rvierdiiev, saian, sakshamguruji, seyni, slvDev, yixxas, zaskoh
31.1555 USDC - $31.16
selfdestructAfter EIP-4758, the SELFDESTRUCT op code will no longer be available. Currently, the project uses selfdestruct in FixedPrice and OpenEdition to send the funds (and destroy the contract) after an auction has ended. The sending of the funds should still work (even after EIP-4758), but it may still be desirable to not rely on an opcode that will be removed in the future (and where the exact behavior afterwards is not known yet).
transfer used in multiple placesIn multiple places, transfer is used for sending ETH. Because the function only provides a 2300 gas stipend, this may fail with smart contract wallets that contain some logic in its receive function.
When a sale is the last lase within FixedPrice and LPDA, the fees are transfered to the fee receiver (i.e., push transfer). The fee receiver could revert on purpose to grift a sale, e.g. to avoid that a certain user buys a token or to buy the last one himself and sell it OTC for a higher price. This may be undesirable, so using a pull-based pattern may be more appropriate.
address(0), resulting in burned feesIn the three factories, setFeeReceiver can be used to set the fee receiver to address(0). In such cases, the transfer of the fees will still be initiated, but it will result in burning the ETH. Consider disallowing setting the address to 0 or only initiating a transfer of fees when it is non-zero.
In the two functions, the comment above the function says: "/// @notice buy from a fixed price sale after the sale starts".
This is wrong (and probably a copy-past error from FixedPrice).
After the seed base is set, everyone can calculate the result of tokenToSeed for all token IDs. Because the function is not used within the codebase, the impact of that is not clear to me. However, if it should be used for randomness (e.g., NFT reveals), this would be very bad because users could already determine their NFT before the on-chain reveal. For that, Chainlink VRF would be a good alternative.
#0 - c4-judge
2023-01-04T10:46:11Z
berndartmueller marked the issue as grade-b