getMinimumBid can return invalid value for Zora #116
Labels
bug
Something isn't working
duplicate
This issue or pull request already exists
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Lines of code
https://github.com/PartyDAO/party-contracts-c4/blob/3896577b8f0fa16cba129dc2867aba786b730c1b/contracts/market-wrapper/ZoraMarketWrapper.sol#L80
Vulnerability details
Impact & Proof Of Concept
getMinimumBid
simply returns the reserve price (when there are no bidders) or the minimum increment. However, when thetokenContract
is equal to the zora protocol (which is possible, as this is not disallowed by the Party protocol), there is an additional check in Zora's AuctionHouse:Looking at Zora's Market, we can see that this checks if the amount is perfectly splittable:
It is therefore possible that the amount returned by
getMinimumBid
does not pass this check, which would mean that it is impossible to bid on this token (as Party protocol always uses the minimum amount and there is no way to pass an amount manually).Recommended Mitigation Steps
Incorporate this into the
getMinimumBid
calculation. IftokenContract
is equal to the Zora protocol, the amount returned has to be larger than the minimum increment AND perfectly splittable.The text was updated successfully, but these errors were encountered: