Platform: Code4rena
Start Date: 20/09/2022
Pot Size: $100,000 USDC
Total HM: 4
Participants: 109
Period: 7 days
Judge: GalloDaSballo
Id: 163
League: ETH
Rank: 76/109
Findings: 1
Award: $55.20
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: IllIllI
Also found by: 0x1f8b, 0x4non, 0x52, 0x5rings, 0xNazgul, 0xRobocop, 0xSmartContract, 0xdeadbeef, 0xsanson, 8olidity, Amithuddar, Aymen0909, B2, B353N, CertoraInc, Ch_301, Chom, CodingNameKiki, Deivitto, ElKu, Funen, JC, JohnnyTime, Kresh, Lambda, Noah3o6, RaymondFam, ReyAdmirado, RockingMiles, Rolezn, Sm4rty, SuldaanBeegsi, Tadashi, TomJ, Tomio, V_B, Waze, __141345__, a12jmx, ak1, arcoun, asutorufos, aviggiano, berndartmueller, bharg4v, bin2chen, brgltd, bulej93, c3phas, catchup, cccz, ch0bu, cryptonue, cryptphi, csanuragjain, delfin454000, devtooligan, djxploit, durianSausage, eighty, erictee, exd0tpy, fatherOfBlocks, giovannidisiena, hansfriese, ignacio, joestakey, ladboy233, lukris02, m9800, malinariy, martin, minhtrng, obront, oyc_109, pedr02b2, pedroais, pfapostol, philogy, prasantgupta52, rbserver, ronnyx2017, rotcivegaf, rvierdiiev, sach1r0, shung, simon135, throttle, tnevler, tonisives, wagmi, yixxas, zkhorse, zzykxx, zzzitron
55.1985 USDC - $55.20
This could truncate the price value of legendaryGobblerAuctionData.startPrice during mintLegendaryGobbler call.
legendaryGobblerAuctionData.startPrice = uint120( cost <= LEGENDARY_GOBBLER_INITIAL_START_PRICE / 2 ? LEGENDARY_GOBBLER_INITIAL_START_PRICE : cost * 2 );
value type of legendaryGobblerAuctionData.startPrice is uint128. This can hold value greater than uint120
But, during price calculation, incorrect typecast value is used. this could lead reduced price value than what is expected.
Manual code review
typecast as uint128 as done in below line of code.
https://github.com/code-423n4/2022-09-artgobblers/blob/d2087c5a8a6a4f1b9784520e7fe75afa3a9cbdbe/src/ArtGobblers.sol#L324
Example :
legendaryGobblerAuctionData.startPrice = uint128(LEGENDARY_GOBBLER_INITIAL_START_PRICE);
#0 - Shungy
2022-09-28T09:46:18Z
The maximum cost is around ~4k. Even if you ignore supply limitation and assume all legendary gobblers are minted at max price, the last gobbler will cost69 * 2**9. That fits uint120.
That being said, this finding is not wholly invalid, as the type of startPrice is uint128, so it does not make sense to cast it to uint120 first. So should be informational in QA report.
#1 - GalloDaSballo
2022-10-09T18:46:41Z
Per the discussion above, the limit of the cast doesn't create a "Low Risk", however, for the sake of consistency a uint128 should be used.
I believe QA Refactoring to be more appropriate
R