Skip to content
This repository has been archived by the owner on Jun 2, 2024. It is now read-only.

KupiaSec - The founder allocation should be updated after changing reservedUntilTokenId. #171

Closed
sherlock-admin2 opened this issue Dec 1, 2023 · 0 comments
Closed

KupiaSec - The founder allocation should be updated after changing reservedUntilTokenId. #171

sherlock-admin2 opened this issue Dec 1, 2023 · 0 comments
Labels
Non-Reward This issue will not receive a payout

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Dec 1, 2023
edited by Czar102
Loading

KupiaSec

medium

The founder allocation should be updated after changing reservedUntilTokenId.

Summary

After changing reservedUntilTokenId using Token.setReservedUntilTokenId(), the founder allocation mechanism wouldn't work as expected.

Vulnerability Detail

The owner can update reservedUntilTokenId using setReservedUntilTokenId() before starting the auction.

    function setReservedUntilTokenId(uint256 newReservedUntilTokenId) external onlyOwner {
        // Cannot change the reserve after any non reserved tokens have been minted
        // Added to prevent making any tokens inaccessible
        if (settings.mintCount > 0) {
            revert CANNOT_CHANGE_RESERVE();
        }

        // Cannot decrease the reserve if any tokens have been minted
        // Added to prevent collisions with tokens being auctioned / vested
        if (settings.totalSupply > 0 && reservedUntilTokenId > newReservedUntilTokenId) {
            revert CANNOT_DECREASE_RESERVE();
        }

        // Set the new reserve
        reservedUntilTokenId = newReservedUntilTokenId; //@audit should update founder allocations

        emit ReservedUntilTokenIDUpdated(newReservedUntilTokenId);
    }

As reservedUntilTokenId is used while adding founders, the founder allocation wouldn't work as expected.

  1. During the initialization, there was one founder with ownershipPct = 1, reservedUntilTokenId = 0.
  2. After calling _addFounders(), tokenRecipient[0] will be booked for the founder.
  3. Before starting an auction, setReservedUntilTokenId() is called and reservedUntilTokenId = 1 now.
  4. While minting NFTs with an auction, tokenId will start from reservedUntilTokenId = 1.
  5. So the founder wouldn't receive any NFTs while minting 1 to 99 although he should've got one right after the auction starts.

Impact

The founder allocation mechanism would be broken after changing reservedUntilTokenId.

Code Snippet

https://github.com/sherlock-audit/2023-09-nounsbuilder/tree/main/nouns-protocol/src/token/Token.sol#L486

Tool used

Manual Review

Recommendation

We should update the founder allocations again after changing reservedUntilTokenId in setReservedUntilTokenId().
@github-actions github-actions bot closed this as completed Dec 6, 2023
@github-actions github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Dec 6, 2023
@sherlock-admin sherlock-admin changed the title Plain Caramel Porcupine - The founder allocation should be updated after changing reservedUntilTokenId. KupiaSec - The founder allocation should be updated after changing reservedUntilTokenId. Dec 13, 2023
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Dec 13, 2023
@nevillehuang nevillehuang mentioned this issue Dec 15, 2023
Closed
@Czar102 Czar102 removed the High A valid High severity issue label Dec 21, 2023
@sherlock-admin sherlock-admin added Non-Reward This issue will not receive a payout and removed Reward A payout will be made for this issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Dec 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Non-Reward This issue will not receive a payout
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Czar102 @sherlock-admin @sherlock-admin2