You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jun 2, 2024. It is now read-only.
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
updateFounders in Token.sol is not respecting the reserveUntilTokenId, which leads to a wrong cleanup of baseTokenIds.
Vulnerability Detail
In updateFounders there is a loop in the code, that is deleting the baseTokenIds, on when to mint tokens for founders. This is to ensure, that the mapping is clean, before adding the update founders. The problem here is, that this function is not respecting the changes, that where done to the addFounders in regards to the reservedUntilTokenId.
When adding, the baseTokenId stars with the value set to reservedUntilTokenId, but when deleting it starts with baseTokenId=0.
This will result in the mapping to not be properly cleaned, and old founders to may still receive tokens, or updated founders receiving too many tokens.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelHighA valid High severity issueRewardA payout will be made for this issue
0xReiAyanami
high
Malfunction in updateFounders
Summary
updateFounders in Token.sol is not respecting the reserveUntilTokenId, which leads to a wrong cleanup of baseTokenIds.
Vulnerability Detail
In updateFounders there is a loop in the code, that is deleting the baseTokenIds, on when to mint tokens for founders. This is to ensure, that the mapping is clean, before adding the update founders. The problem here is, that this function is not respecting the changes, that where done to the addFounders in regards to the reservedUntilTokenId.
When adding, the baseTokenId stars with the value set to reservedUntilTokenId, but when deleting it starts with baseTokenId=0.
This will result in the mapping to not be properly cleaned, and old founders to may still receive tokens, or updated founders receiving too many tokens.
Impact
Code Snippet
https://github.com/sherlock-audit/2023-09-nounsbuilder/blob/main/nouns-protocol/src/token/Token.sol#L161
https://github.com/sherlock-audit/2023-09-nounsbuilder/blob/main/nouns-protocol/src/token/Token.sol#L412
Tool used
Manual Review
Recommendation
use the same baseId for deletion as for adding the founders, starting with reservedUntilTokenId
Duplicate of #42
The text was updated successfully, but these errors were encountered: