Skip to content

Change of saleToken can result in wrong revenue#

Medium Risk

In Create.sol there is updateCanvas function that is used to update a canvas. You can also update saleToken as long as it is not on reserve auction or dutch auction. If it is on a regular sale it can be updated. In case someone has already purchased an NFT, which is part of a canvas, and then saleToken is changed, the revenue will be wrong. Because there is no way to know how much was sold for which saleToken.

Example#

  1. User A creates a canvas and sets it up for a regular sale. saleToken is ETH (address(0)) and price is 1e18.
  2. User B mints one NFT that is part of that canvas and pays 1 ETH.
  3. Revenue for that canvas updates to ds.canvasSystem[canvasId].revenue += totalPrice -> 1e18.
  4. User A executes a canvas update. He sets saleToken to USDT and price to 100e6 (USDT has 6 decimals).
  5. User C mints one NFT that is part of that canvas and pays 100 USDT.
  6. Revenue for that canvas updates to ds.canvasSystem[canvasId].revenue += totalPrice -> 1e18 + 100e6 = 10000000001e8.

Now the revenue is 10000000001e8, but that does not represent how much ETH was earned or how much USDT was earned.

Recommendation#

Prevent a change of saleToken if any kind of sale is started. You can add this line: if(saleStarted && canvas.saleToken != update.saleToken) revert