Platform: Code4rena
Start Date: 11/08/2022
Pot Size: $40,000 USDC
Total HM: 8
Participants: 108
Period: 4 days
Judge: hickuphh3
Total Solo HM: 2
Id: 152
League: ETH
Rank: 68/108
Findings: 1
Award: $42.83
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: itsmeSTYJ
Also found by: 0x1f8b, 0x52, 0xDjango, Ch_301, Chom, KIntern_NA, PwnedNoMore, Treasure-Seeker, auditor0517, byndooa, cccz, csanuragjain, ladboy233, nine9, shenwilly, thank_you, yixxas, zkhorse
42.8343 USDC - $42.83
Calling balanceOf(msg.sender) to check if an address has minted more than allowed is bad since buyer can always transfer away the NFT after minting, and hence mint more than allowed, making it unfair for other parties. This is important when we want to only allow certain addresses to mint, and we want to limit this address from minting more than allowed.
L183 checks for (IERC721(nftContract).balanceOf(msg.sender) + count > saleConfig.limitPerAccount), which can easily be bypassed by transferring NFT to another address before calling mintFromFixedPriceSale.
NFTDropMarketFixedPriceSale.sol#L183-L189
function mintFromFixedPriceSale( address nftContract, uint16 count, address payable buyReferrer ) external payable returns (uint256 firstTokenId) { ... if (IERC721(nftContract).balanceOf(msg.sender) + count > saleConfig.limitPerAccount) { if (saleConfig.limitPerAccount == 0) { // Provide a more targeted error if the collection has not been listed. revert NFTDropMarketFixedPriceSale_Must_Have_Sale_In_Progress(); } revert NFTDropMarketFixedPriceSale_Cannot_Buy_More_Than_Limit(saleConfig.limitPerAccount); } ... }
Consider using mapping(address => uint) to track number of NFTs an account has minted instead of using balanceOf.
#0 - HardlyDifficult
2022-08-17T20:58:55Z