getMinimumBid can return invalid value for Zora

[code423n4]

Lines of code

https://github.com/PartyDAO/party-contracts-c4/blob/3896577b8f0fa16cba129dc2867aba786b730c1b/contracts/market-wrapper/ZoraMarketWrapper.sol#L80

Vulnerability details

Impact & Proof Of Concept

getMinimumBid simply returns the reserve price (when there are no bidders) or the minimum increment. However, when the tokenContract is equal to the zora protocol (which is possible, as this is not disallowed by the Party protocol), there is an additional check in Zora's AuctionHouse:

        // For Zora Protocol, ensure that the bid is valid for the current bidShare configuration
        if(auctions[auctionId].tokenContract == zora) {
            require(
                IMarket(IMediaExtended(zora).marketContract()).isValidBid(
                    auctions[auctionId].tokenId,
                    amount
                ),
                "Bid invalid for share splitting"
            );
        }

Looking at Zora's Market, we can see that this checks if the amount is perfectly splittable:

    /**
     * @notice Validates that the bid is valid by ensuring that the bid amount can be split perfectly into all the bid shares.
     *  We do this by comparing the sum of the individual share values with the amount and ensuring they are equal. Because
     *  the splitShare function uses integer division, any inconsistencies with the original and split sums would be due to
     *  a bid splitting that does not perfectly divide the bid amount.
     */
    function isValidBid(uint256 tokenId, uint256 bidAmount)
        public
        view
        override
        returns (bool)
    {
        BidShares memory bidShares = bidSharesForToken(tokenId);
        require(
            isValidBidShares(bidShares),
            "Market: Invalid bid shares for token"
        );
        return
            bidAmount != 0 &&
            (bidAmount ==
                splitShare(bidShares.creator, bidAmount)
                    .add(splitShare(bidShares.prevOwner, bidAmount))
                    .add(splitShare(bidShares.owner, bidAmount)));
    }

It is therefore possible that the amount returned by getMinimumBid does not pass this check, which would mean that it is impossible to bid on this token (as Party protocol always uses the minimum amount and there is no way to pass an amount manually).

Recommended Mitigation Steps

Incorporate this into the getMinimumBid calculation. If tokenContract is equal to the Zora protocol, the amount returned has to be larger than the minimum increment AND perfectly splittable.

[merklejerk]

Will fix in the future. For now, the FE can block zora tokens from the FE to mitigate.

[HardlyDifficult]

Interesting limitation that could interfere with Zora NFT support. Agree with Medium risk.

[trust1995]

A cool find. While wondering why I didn't find it myself, I re-checked the scope for the contest and indeed, all the MarketWrappers are explicitly out of scope. So while it is a commendable submission, I think for fairness sake it needs to be closed.

@HardlyDifficult

[HardlyDifficult]

That's a good flag, thanks @trust1995 . I will lower severity since this was out of scope. Merging with #101