Platform: Code4rena
Start Date: 11/08/2022
Pot Size: $40,000 USDC
Total HM: 8
Participants: 108
Period: 4 days
Judge: hickuphh3
Total Solo HM: 2
Id: 152
League: ETH
Rank: 25/108
Findings: 2
Award: $90.99
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: itsmeSTYJ
Also found by: 0x1f8b, 0x52, 0xDjango, Ch_301, Chom, KIntern_NA, PwnedNoMore, Treasure-Seeker, auditor0517, byndooa, cccz, csanuragjain, ladboy233, nine9, shenwilly, thank_you, yixxas, zkhorse
42.8343 USDC - $42.83
It was observed that any user can bypass saleConfig.limitPerAccount and mint any number of NFT without caring about limitPerAccount. This is happening due to unrestricted transferFrom.
User A has minted say 10 NFT and saleConfig.limitPerAccount is also 10
Now User A calls mintFromFixedPriceSale and try to mint 10 more NFT
The below condition fails since user has already reached threshold of saleConfig.limitPerAccount
if (IERC721(nftContract).balanceOf(msg.sender) + count > saleConfig.limitPerAccount) { if (saleConfig.limitPerAccount == 0) { // Provide a more targeted error if the collection has not been listed. revert NFTDropMarketFixedPriceSale_Must_Have_Sale_In_Progress(); } revert NFTDropMarketFixedPriceSale_Cannot_Buy_More_Than_Limit(saleConfig.limitPerAccount); }
User A simply use transferFrom function at NFTDropCollection.sol to transfer 10 NFT to his another owned address (Contract implements ERC721Upgradeable which allows transferFrom)
Now User A new balance becomes 0 and he can simply mint NFT using Step 2
Once User A has minted 10 NFT, he again uses transferFrom to transfer back his NFT from his another owned address to his own adddress. This means User A has now 20 NFT even though limit per account was set as 10
This way using 2 address any user can simply bypass saleConfig.limitPerAccount
Override the transferFrom/safeTransferFrom function (or beforetokenTransfer) and check if post transfer balanceOf(msg.sender)+amount <=saleConfig.limitPerAccount, if not revert
#0 - HardlyDifficult
2022-08-17T20:56:38Z
🌟 Selected for report: Saw-mon_and_Natalie
Also found by: 0x1f8b, 0x52, 0xDjango, 0xNazgul, 0xSmartContract, 0xSolus, 0xackermann, 0xmatt, 0xsolstars, Aymen0909, Bnke0x0, Chom, Deivitto, DevABDee, Dravee, ElKu, IllIllI, JC, Kumpa, Lambda, LeoS, MiloTruck, PwnedNoMore, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, TomJ, Treasure-Seeker, Vexjon, Waze, Yiko, __141345__, apostle0x01, auditor0517, berndartmueller, bin2chen, bobirichman, brgltd, bulej93, c3phas, carlitox477, cccz, cryptphi, csanuragjain, d3e4, danb, delfin454000, durianSausage, erictee, fatherOfBlocks, gogo, iamwhitelights, joestakey, jonatascm, ladboy233, mics, oyc_109, rbserver, ret2basic, robee, rokinot, rvierdiiev, shenwilly, sikorico, simon135, thank_you, wagmi, yash90, zeesaw, zkhorse
48.1614 USDC - $48.16
Contract: https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollection.sol#L298
Issue: In getTokenCreatorPaymentAddress function, It is not checked whether tokenId actually exists. Even if it does not exist creatorPaymentAddress will be returned as owner. This seem to be used by CollectionRoyalties.sol to calculate Royalties, fees. CollectionRoyalties seem to be exposing API which means that this will give incorrect data.
Recommendation: Revise the function to include below checks:
require(_exists(tokenId), "NFTCollection: URI query for nonexistent token");
Contract: https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTDropCollection.sol#L245
Issue: _burn: This function is marked internal and does not seem to be used.
Recommendation: Remove the function if not required
#0 - HardlyDifficult
2022-08-18T19:29:11Z
Token Id existence not checked
This is a fair point, we will consider adding that check.
Unused function
Invalid. This was required due to a compile error from the inheritance used here.