Snowman Merkle Airdrop
First Flight #42
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

A malicious user can deploy the same contract with cheaper token fees

juanalacubana

Sincce the buyFee is passed a parameter in the constructor and isn't hardcoded, a user can deploy the same contract and have super cheap fees for the tokens.

Description

  • buyFee is passed in the constructor as a parameter, which then prevents the fees from being set to 0, and should be set at a reasonable fee.

  • Since the buyFee isn't hardcoded someone can deploy the same contract since it's public and easy to copy, and they can set the buyFee to have lower fees for the tokens.

...
@> constructor(address _weth, uint256 _buyFee, address _collector) ERC20("Snow", "S") Ownable(msg.sender) {
if (_weth == address(0)) {
revert S__ZeroAddress();
}
@> if (_buyFee == 0) {
revert S__ZeroValue();
}
if (_collector == address(0)) {
revert S__ZeroAddress();
}
i_weth = IERC20(_weth);
@> s_buyFee = _buyFee * PRECISION;
s_collector = _collector;
i_farmingOver = block.timestamp + FARMING_DURATION; // Snow farming eands 12 weeks after deployment
}
function buySnow(uint256 amount) external payable canFarmSnow {
@> if (msg.value == (s_buyFee * amount)) {
_mint(msg.sender, amount);
} else {
@> i_weth.safeTransferFrom(msg.sender, address(this), (s_buyFee * amount));
_mint(msg.sender, amount);
}
s_earnTimer = block.timestamp;
emit SnowBought(msg.sender, amount);
}

Risk

Likelihood: High

  • Since the buyFee isn't hardcoded and the contract is public and easy to copy, it can happen at any moment.

Impact: High

  • If a user does copy the contract they can deploy the same contract but their own cheaper fees allowing others to buy the token at a cheaper prices than intended and now they access the snowman NFT more easily

Proof of Concept

-Bob copies the contract and deploys it.
-Bob then sets the buyFee to a very low fee
-Bob and others can now buy the token at a cheaper price than the original contract.
-Bob and others can now get the Snowman NFT more easily due to the cheaper fees, while the users in the original contract have a harder time getting the NFT due to higher intended Fees.

Recommended Mitigation

You should remove buyFee from the constructors parameter and also remove buyeFee equal to s_buyFee.

Instead have the buyFee be hardcoded in the constructor

- constructor(, uint256 _buyFee, )
...
- s_buyFee = _buyFee * PRECISION;
+ s_buyFee = 10 * PRECISION; // Hardcoded buy fee
Updates

Lead Judging Commences

yeahchibyke Lead Judge 18 days ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.