LPDA can be initialized with parameters that will revert getPrice()

2022-12-0900:00:00

Code4rena

github.com

lpda

getprice

vulnerability

revert

refund

buy

parameters

JSON

Lines of code
<https://github.com/code-423n4/2022-12-escher/blob/5d8be6aa0e8634fdb2f328b99076b0d05fefab73/src/minters/LPDAFactory.sol#L29-L42>

Vulnerability details

Impact

LPDA Sales can start reverting the buy() and refund() functions at some point of time if initialized with incorrect parameters (revert happens at getPrice() function).

Users might not be able to withdraw their excess balance using refund() function if getPrice() reverts.

Users will not be able to Buy if getPrice() reverts.

getPrice() will revert if startPrice is less than dropPerSecond * (endTime-startTime)

Proof of Concept

file: src/minters/LPDA.sol

startPrice = 100
dropPersecond = 10
endTime = 100
startTime = 0

// getPrice() function uses in buy() and refund() 
function getPrice() public view returns (uint256) {
    Sale memory temp = sale;
    (uint256 start, uint256 end) = (temp.startTime, temp.endTime);
    if (block.timestamp &lt; start) return type(uint256).max;
    if (temp.currentId == temp.finalId) return temp.finalPrice;

    uint256 timeElapsed = end &gt; block.timestamp ? block.timestamp - start : end - start;
    return temp.startPrice - (temp.dropPerSecond * timeElapsed);
}

Recommended Mitigation Steps

Add a require(sale.startPrice >= sale.dropPerSecond * (sale.endTime - sale.startTime)); after all require statements in createLPDASale()

file: src/minters/LPDAFactory.sol

function createLPDASale(LPDA.Sale calldata sale) external returns (address clone) {
    ...
		require(sale.dropPerSecond &gt; 0, "INVALID DROP PER SECOND");
+		require(sale.startPrice &gt;= sale.dropPerSecond * (sale.endTime - sale.startTime), "Incorrect LPDA parameters");

		...
}

The text was updated successfully, but these errors were encountered:

All reactions

JSON