0xcrunch - Founder may not be able to receive tokens even if the founder has one percentage of token ownership

[sherlock-admin2]

0xcrunch

high

Founder may not be able to receive tokens even if the founder has one percentage of token ownership

Summary

Founder may not be able to receive tokens even if the founder has one percentage ownership.

Vulnerability Detail

ownershipPct indicates the ownershipPct The percentage of token ownership of a founder, when an auction is created, a token is minted.

System will check if the minted token should be sent to a founder, based on the tokenRecipient mapping.
First, system calculates the baseTokenId based on the minted token ID:

        uint256 baseTokenId = _tokenId % 100;

Then founder address is retrieved from tokenRecipient, and token is minted to the founder:

            _mint(tokenRecipient[baseTokenId].wallet, _tokenId);

The tokenRecipient is initialized in _addFounders function:

                for (uint256 j; j < founderPct; ++j) {
                    // Get the available token id
                    baseTokenId = _getNextTokenId(baseTokenId);


                    // Store the founder as the recipient
                    tokenRecipient[baseTokenId] = newFounder;


                    emit MintScheduled(baseTokenId, founderId, newFounder);


                    // Update the base token id
                    baseTokenId = (baseTokenId + schedule) % 100;
                }

Where baseTokenId is set to reservedUntilTokenId at the beginning:

                uint256 baseTokenId = reservedUntilTokenId;

And _getNextTokenId function finds the next available base token id for a founder:

            while (tokenRecipient[_tokenId].wallet != address(0)) {
                _tokenId = (++_tokenId) % 100;
            }


            return _tokenId;

It can be seen that tokenRecipient stores _tokenId % 100 as the key, however, if it is the first time entering this function, baseTokenId will be returned as it is (without % 100), that is, reservedUntilTokenId is stored as the key to the founder's address.

If reservedUntilTokenId is larger than 100, then when system checks if the minted token should be sent to the founder by retrieving from tokenRecipient, tokenRecipient[reservedUntilTokenId] can never be retrieved because baseTokenId is always less than 100:

uint256 baseTokenId = _tokenId % 100;

So the founder is not able to receive any tokens.

Impact

Founder is not able to receive any tokens.

Code Snippet

https://github.com/sherlock-audit/2023-09-nounsbuilder/blob/main/nouns-protocol/src/token/Token.sol#L186-L194

Tool used

Manual Review

Recommendation

It's recommended to return _tokenId % 100 when it is the first time entering _getNextTokenId function.

Duplicate of #42