A number of NFTs can be held hostage by a user who has no genuine intent to purchase.
The code on lines 85-87 indicates that a newly generated NFT will be temporarily
held by the contract if the user (the caller) gets a trick where the NFT price doubles (i.e., costMultiplierNumerator == 2
) and the amount of native asset paid by the user is less than the doubled price. It is expected that the user later calls function resolveTrick()
to pay the remaining amount and the NFT will be released to the user.
This logic can be weaponised by a malicious user. Consider the following steps:
The user calls trickOrTreat()
and guesses
the random value, expecting a trick
. The user sends an amount of msg.value
that is much less than the requiredCost
.
The user repeats step 1 as many as possible (e.g., x
times).
The user never calls resolveTrick()
.
As the result, there are x
NFTs stuck on the contract, that is held hostage by the user, because the user is the only party that can release the NFTs from the contract.
NFTs potentially gets stuck on the contract.
Manual review.
Consider adding a deadline which allows the owner to release the NFTs after the deadline expires.
The protocol can work correctly with more than 20000 tokens in it. It is informational.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.