Escher contest - kaliberpoziomka8552's results

Lines of code

https://github.com/code-423n4/2022-12-escher/blob/5d8be6aa0e8634fdb2f328b99076b0d05fefab73/src/minters/LPDAFactory.sol#L29-L42 https://github.com/code-423n4/2022-12-escher/blob/5d8be6aa0e8634fdb2f328b99076b0d05fefab73/src/minters/LPDA.sol#L124 https://github.com/code-423n4/2022-12-escher/blob/5d8be6aa0e8634fdb2f328b99076b0d05fefab73/src/minters/LPDA.sol#L63 https://github.com/code-423n4/2022-12-escher/blob/main/src/minters/LPDA.sol#L101

Vulnerability details

Impact

If LPDA sale contract is deployed with incorrect configuration, the buy(...) functionality may stop working and in consequence prevent users from buying NFT and saleReceiver from receiving payment from the sale.

Proof of Concept

The LPDA contract is created in function LPDAFactory.createLPDASale(...), but there are not enough checks of the input. Precisely the function does not check if sale.startPrice >= (sale.dropPerSecond * (sale.endTime - sale.startTime)). If the sale contract LPDA creation is misconfigured (given assertion would not hold), then function LPDA.getPrice(...) could throw an error after some time, because of the computation of return value: temp.startPrice - (temp.dropPerSecond * timeElapsed) where temp.startPrice would be lower than (temp.dropPerSecond * timeElapsed). The function LPDA.buy(...) depends on function LPDA.getPrice(...) (here) and if LPDA.getPrice(...) will revert, then buying would be impossible. The sale receiver and fee receiver get funds from the sale when the last token is minted, however, if buying functionality is blocked they wouldn't be paid and the ethers would stay locked in the contract forever. Also the LPDA.refund(...) function could not work, since is dependent on LPDA.getPrice(...) (here).

Tools Used

Manual review

Recommended Mitigation Steps

Consider checking in LPDAFactory.createLPDASale(...) if sale.startPrice >= (sale.dropPerSecond * (sale.endTime - sale.startTime)) is true.