Platform: Code4rena
Start Date: 03/05/2022
Pot Size: $30,000 USDC
Total HM: 6
Participants: 93
Period: 3 days
Judge: gzeon
Id: 118
League: ETH
Rank: 24/93
Findings: 1
Award: $296.76
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: throttle
Also found by: 0xDjango, BowTiedWardens, WatchPug, defsec, dipp, fatherOfBlocks, gzeon, hake, reassor, shung, unforgiven
ForgottenRunesWarriorsMinter.sol#L171-L195
ForgottenRunesWarriorsMinter.sol#L480-L500
If the mintlist summon starts before the final price is reached in the auction and is not set, then users who use mintlistSummon or publicSummon could pay more than what they should. They would be unable to receive a refund by using the contract since the refund functionality only considers the amount spent in the bidSummon function.
Since the mintlist start time is expected to be 24 hours after the Dutch auction start time, and the public summon 24 hours after that, this scenario is unlikely but is still possible.
A requirement that mintlistStartTime is at least 380 minutes after daStartTime in the setPhaseTimes function could be added since the final price should be equal to lowestPrice 380 minutes after the start of the auction or should already be set if all warriors are sold before that.
#0 - gzeoneth
2022-06-18T19:29:25Z
Duplicate of #27