Platform: Code4rena
Start Date: 06/09/2022
Pot Size: $90,000 USDC
Total HM: 33
Participants: 168
Period: 9 days
Judge: GalloDaSballo
Total Solo HM: 10
Id: 157
League: ETH
Rank: 18/168
Findings: 1
Award: $1,216.32
🌟 Selected for report: 0
🚀 Solo Findings: 0
1216.3218 USDC - $1,216.32
https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/token/Token.sol#L101-L119 https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/token/Token.sol#L130-L136
When initializing founders in _addFounders, base token IDs, which should be numbers between 0 and 99, are distributed to founders, based on ownershipPct. Each founder should have as many base token ID than
the ownershipPct value.
With specific distributions, some base tokens IDs may be higher than 99. In that case, the founder will be unable to get them because the _isForFounder method will calculate the base token ID using baseTokenId = _tokenId % 100 (https://github.com/code-423n4/2022-09-nouns-builder/blob/main/src/token/Token.sol#L179)
There are two issues in the code regarding this finding:
_getNextTokenId method does not check if the returned token is between 0 and 99. If all tokens between the initial _tokenId argument and 99 have already been distributed, the return value will be higher than 99.baseTokenId in the loop is (baseTokenId += schedule) % 100. The % 100 operation is executed but not applied to baseTokenId. The baseTokenId variable can still be higher than 99 after this instruction.These issues may lead to an unfair distribution amongst founders.
ownershipPct: [11%, 12%, 13%]_isForFounder.ownershipPct.The _getNextTokenId method should at least be modified to apply a mod 100 operation for each potential token ID.
#0 - GalloDaSballo
2022-09-26T23:06:49Z
Dup if #107