Deactivated tiers can still mint reserve tokens, even if no non-reserve tokens were minted. #189
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
M-07
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Lines of code
https://github.com/jbx-protocol/juice-nft-rewards/blob/f9893b1497098241dd3a664956d8016ff0d0efd0/contracts/JBTiered721DelegateStore.sol#L808
Vulnerability details
Description
Tiers in Juicebox can be deactivated using the adjustTiers() function. It makes sense that reserve tokens may be minted in deactivated tiers, in order to be consistent with already minted tokens. However, the code allows the first reserve token to be minted in a deactivated tier, even though there was no previous minting of that tier.
Using the rounding mechanism is not valid when the tier has been deactivated, since we know there won't be any minting of this tier.
Impact
The reserve beneficiary receives an unfair NFT which may be used to withdraw tokens using the redemption mechanism.
Tools Used
Manual audit
Recommended Mitigation Steps
If Juicebox intends to use rounding functionality, pass an argument isDeactivated which, if true, deactivated the rounding logic.
The text was updated successfully, but these errors were encountered: