Platform: Code4rena
Start Date: 06/12/2022
Pot Size: $36,500 USDC
Total HM: 16
Participants: 119
Period: 3 days
Judge: berndartmueller
Total Solo HM: 2
Id: 189
League: ETH
Rank: 77/119
Findings: 2
Award: $30.15
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: AkshaySrivastav
Also found by: 0x52, 0xA5DF, 0xdeadbeef0x, KingNFT, Madalad, Parth, Soosh, _Adam, adriro, csanuragjain, danyams, eyexploit, gasperpre, gz627, gzeon, hansfriese, hihen, immeas, jadezti, jonatascm, kiki_dev, kree-dotcom, ladboy233, lukris02, lumoswiz, mahdikarimi, minhtrng, nalus, nameruse, obront, reassor, rvierdiiev, seyni, tnevler, wait, yixxas
1.3417 USDC - $1.34
https://github.com/code-423n4/2022-12-escher/blob/5d8be6aa0e8634fdb2f328b99076b0d05fefab73/src/minters/FixedPrice.sol#L73 https://github.com/code-423n4/2022-12-escher/blob/5d8be6aa0e8634fdb2f328b99076b0d05fefab73/src/minters/LPDA.sol#L81
The only way to end a sale when it has already started is if all the NFTs have been bought (minted). The only way the NFT creator gets paid from the sale is if the sale ends.
End sale condition example in FixedPrice.sol
if (newId == sale_.finalId) _end(sale);
This means that all NFTs must be bought or the creator will not be able to receive any payment. The creator must either wait for all NFTs to be bought (which could be forever), or buy their own NFTs to end (which requires capital they may not have).
Creator cannot receive payment for NFTs that sold unless all NFTs have been sold.
I believe it is an incorrect assumption that all NFT projects will be popular and sold out fully. The common case will be that creator will be unable to collect payment for sold NFTs (loss of funds).
Should reconsider the current design to instead allow the creator to receive payment of the NFTs that were already sold.
The current design of all sales contract is that payment is only made once to the creator, when the sale has ended. If this is desired, then FixedPrice and LPDA contracts could follow the OpenEdition contract way of ending the sale after a specific deadline. So even if not all NFTs are sold, the creator can end the sale and receive payment.
#0 - c4-judge
2022-12-12T08:56:52Z
berndartmueller marked the issue as duplicate of #328
#1 - c4-judge
2023-01-02T20:20:47Z
berndartmueller changed the severity to 2 (Med Risk)
#2 - c4-judge
2023-01-02T20:22:41Z
berndartmueller marked the issue as satisfactory
🌟 Selected for report: tnevler
Also found by: 0xDecorativePineapple, 0xRobocop, 0xbepresent, Chom, Ruhum, Soosh, imare, lukris02, pashov, yellowBirdy, yixxas
28.8137 USDC - $28.81
https://github.com/code-423n4/2022-12-escher/blob/5d8be6aa0e8634fdb2f328b99076b0d05fefab73/src/minters/FixedPrice.sol#L110 https://github.com/code-423n4/2022-12-escher/blob/5d8be6aa0e8634fdb2f328b99076b0d05fefab73/src/minters/OpenEdition.sol#L122
Use of selfdestruct() is deprecated: https://eips.ethereum.org/EIPS/eip-6049.
Vitalik's post: https://hackmd.io/@vbuterin/selfdestruct
A breaking change is expected where SELFDESTRUCT will be removed some time in the future. This will break the contracts functionality and cause the NFT creator to not be able to receive payment.
The protocol will be broken when the breaking change is implemented, it may result in creator being unable to receive payment since selfdestruct() is used.
Use call() instead to send ether.
#0 - c4-judge
2022-12-11T18:35:39Z
berndartmueller marked the issue as duplicate of #377
#1 - berndartmueller
2023-01-03T15:35:58Z
Applying partial credit as the warden did not demonstrate a concrete impact
#2 - c4-judge
2023-01-03T15:36:04Z
berndartmueller marked the issue as partial-50