Omniscia LOC Game Audit

LOCGamePlayNFT Manual Review Findings

LOG-01M: Inexistent Validation of Card Collection Supply

Type	Severity	Location
Logical Fault	Medium	LOCGamePlayNFT.sol:L25

Description:

The way the LOCGamePlayNFT system is structured assumes and declares a maximum card limit per collection (MAX_CARDS), however, this limit is not enforced in the minting code of the contract.

Example:

contracts/LOCGamePlayNFT.sol

11uint256 private constant MAX_CARDS = 1_000_000_000;
12uint256 private constant MIN_TOKENID_NBR =
13    1_000_000_001_001_000_000_000_000;
14
15// Mapping from cardId to supply
16mapping(uint256 => uint256) private cardTotalSupplyMap;
17
18constructor(address admin, address minter) LOCOZExtension(admin, minter) {}
19
20function mint(address to, uint256 tokenId) public onlyMinter {
21    require(tokenId >= MIN_TOKENID_NBR, "invalid tokenId format");
22
23    uint256 cardId = extractCardId(tokenId);
24
25    cardTotalSupplyMap[cardId] = cardTotalSupplyMap[cardId].add(1);
26    super._mint(to, tokenId);
27}

Recommendation:

We advise this limit to be enforced by introducing a corresponding require check validating the cardTotalSupplyMap's value of the cardId being minted.

Alleviation:

The MAX_CARDS variable was instead renamed to CARD_TOKEN_SEPARATOR thus illustrating that it is not a limit meant to be enforced and nullifying this exhibit.

Omniscia LOC Game Audit

LOCGamePlayNFT Manual Review Findings

LOCGamePlayNFT Manual Review Findings

LOG-01M: Inexistent Validation of Card Collection Supply

Description:

Example:

Recommendation:

Alleviation:

LOCGamePlayNFT.sol (LOG-S)

LOCOZExtension.sol (LOO-M)

On this page