Skip to content
This repository has been archived by the owner on Jun 2, 2024. It is now read-only.

zraxx - The first founder's share will be lost by 1% when reservedUntilTokenId>=100 #26

Closed
sherlock-admin opened this issue Dec 1, 2023 · 0 comments
Closed

zraxx - The first founder's share will be lost by 1% when reservedUntilTokenId>=100 #26

sherlock-admin opened this issue Dec 1, 2023 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin
Copy link
Contributor

sherlock-admin commented Dec 1, 2023
edited by sherlock-admin2
Loading

zraxx

medium

The first founder's share will be lost by 1% when reservedUntilTokenId>=100

Summary

The first founder's share will be lost by 1% when reservedUntilTokenId>=100.

Vulnerability Detail

When calculating the baseTokenId corresponding to the founder's share, since initially baseTokenId = reservedUntilTokenId and tokenRecipient[reservedUntilTokenId].wallet != address(0), the baseTokenId corresponding to the first 1% share of the first founder will be reservedUntilTokenId . Hence, when reservedUntilTokenId>=100, this 1% share will be lost. Subsequent shares will not be affected because the range of baseTokenId will correctly fall between 0-99.

uint256 baseTokenId = reservedUntilTokenId;

// For each token to vest:
for (uint256 j; j < founderPct; ++j) {
    // Get the available token id
    baseTokenId = _getNextTokenId(baseTokenId);

    // Store the founder as the recipient
    tokenRecipient[baseTokenId] = newFounder;

    emit MintScheduled(baseTokenId, founderId, newFounder);

    // Update the base token id
    baseTokenId = (baseTokenId + schedule) % 100;
}

Impact

Founder loses 1% share

Code Snippet

https://github.com/sherlock-audit/2023-09-nounsbuilder/blob/main/nouns-protocol/src/token/Token.sol#L161

https://github.com/sherlock-audit/2023-09-nounsbuilder/blob/main/nouns-protocol/src/token/Token.sol#L186

Tool used

Manual Review

Recommendation

Patch method 1:

modify function _addFounders

uint256 baseTokenId = reservedUntilTokenId % 100;  // <------ modify

// For each token to vest:
for (uint256 j; j < founderPct; ++j) {
    // Get the available token id
    baseTokenId = _getNextTokenId(baseTokenId);

    // Store the founder as the recipient
    tokenRecipient[baseTokenId] = newFounder;

    emit MintScheduled(baseTokenId, founderId, newFounder);

    // Update the base token id
    baseTokenId = (baseTokenId + schedule) % 100;
}

Patch method 2:

modify function _getNextTokenId

function _getNextTokenId(uint256 _tokenId) internal view returns (uint256) {
        unchecked {
	   _tokenId = _tokenId % 100;   // <------ add

            while (tokenRecipient[_tokenId].wallet != address(0)) {
                _tokenId = (++_tokenId) % 100;
            }

            return _tokenId;
        }
    }

Duplicate of #42
@github-actions github-actions bot closed this as completed Dec 6, 2023
@github-actions github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Dec 6, 2023
@sherlock-admin2 sherlock-admin2 changed the title Narrow Magenta Kestrel - The first founder's share will be lost by 1% when reservedUntilTokenId>=100 zraxx - The first founder's share will be lost by 1% when reservedUntilTokenId>=100 Dec 13, 2023
@sherlock-admin2 sherlock-admin2 added the Reward A payout will be made for this issue label Dec 13, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin @sherlock-admin2