Skip to content

Refundable dutch with zero dutchEndTime enables theft of funds#

High Risk

In Create.sol there are createCanvas and updateCanvas functions through which canvas can be created/updated. In both cases, someone can set a canvas to be refundable dutch, even though it is not a dutch auction (refundableDutch = true and dutchEndTime = 0). This enables stealing of funds from the contract. Canvas creator has the ability to change saleToken as stated in Change of saleToken can result in wrong revenue. So he can use this in combination with payoutAuction to steal any token from the contract.

Example#

  1. User A creates a canvas and sets refundableDutch = true and dutchEndTime = 0. The price is 1 USDT and total quantity is 10.
  2. He buys 10 NFTs and pays 10 USDT.
  3. He then executes a canvas update and sets saleToken to ETH, which he can because dutchEndTime is 0.
  4. He can then execute the payoutAuction function.
  5. His revenue will be calculated like this canvas.totalQuantity.mul(ds.canvasSystem[canvasId].dutchEndPrice) = 10 * 1 = 10
  6. He will receive 10 ETH

He paid 10 USDT and received 10 ETH (which is at the time worth more than 1000x that).

Recommendation#

Consider adding a check in createCanvas and updateCanvas that prevents the above scenario. You can add for example: if(canvas.refundableDutch && canvas.dutchEndTime == 0) revert.