Skip to content

Canvas one can be refundable dutch#

High Risk

In Create.sol there are createCanvas and updateCanvas functions through which canvas can be created/updated. In both cases, someone can set a canvas to refundableDutch = true and isOne = true, although a refundable auction does not make sense for 1/1 canvases. Also, this can lead to people getting free NFTs.

Example#

  1. User A creates a canvas and marks it refundableDutch and isOne. Price is set to 10 ETH.
  2. User B buys one NFT by executing mint function and pays 10 ETH. The sale is treated as a regular canvas 1/1 sale with the exception that ETH is not sent to the seller, but it is kept in the contract.
  3. User B can then execute the claimDutchRefund function, because refundableDutch is true.
  4. His refund will be calculated like this purchaseTracker.spend - (purchaseTracker.quantity * (ds.canvasSystem[canvasId].dutchEndPrice)) = 10 ETH - (1 * 0) = 10 ETH

dutchEndPrice is 0 because when canvas isOne, it never gets set.

Recommendation#

Add a check in createCanvas and updateCanvas that prevents the above scenario. You can add for example: if(canvas.refundableDutch && canvas.isOne) revert.