Treat cost may change between trickOrTreat and resolveTrick functions calls, leading to incorrect required payment amount
Summary
Price of a treat may be changed after user swaps the treat with double price and before the user calls SpookySwap::resolveTrick. In that case the final price the user pays is incorrect.
Vulnerability Details
The contract owner can change cost of a treat using function SpookySwap::setTreatCost. If there are pending tokens with the treat, the price in SpookySwap::resolveTrick will be calculated based on the new cost, because the required cost is calculated as below:
If the treat cost changed to higher value after a user gets the treat for double-price, then the user must pay more than required when calling SpookySwap::resolveTrick, because the required payment is recalculated based on the current cost.
Impact
User pays incorrect amount for a treat.
Tools Used
Manual review
Recommendations
Consider to store remaining payment amount instead of paid amount for pending treats.
Appeal created
[invalid] Change cost between the call of trickOrTreat and resolveTrick
Only the owner has the rights to change the cost of the treat. Therefore it is assumed that the owner will not change the cost of the pending NFTs. The owner role is trusted.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.