merge main

Author: Krishang Nadgauda

contracts/drop/DropERC1155.sol

@@ -70,7 +70,7 @@ contract DropERC1155 is
     uint256 private constant MAX_BPS = 10_000;
 
     /// @dev The thirdweb contract with fee related information.
-    ITWFee public immutable thirdwebFee;
+    ITWFee private immutable thirdwebFee;
 
     /// @dev Owner of the contract (purpose: OpenSea compatibility)
     address private _owner;
@@ -265,6 +265,8 @@ contract DropERC1155 is
         bytes32[] calldata _proofs,
         uint256 _proofMaxQuantityPerTransaction
     ) external payable nonReentrant {
+        require(isTrustedForwarder(msg.sender) || _msgSender() == tx.origin, "BOT");
+
         // Get the active claim condition index.
         uint256 activeConditionId = getActiveClaimConditionId(_tokenId);
 

contracts/drop/DropERC20.sol

@@ -54,7 +54,7 @@ contract DropERC20 is
     bytes32 private constant TRANSFER_ROLE = keccak256("TRANSFER_ROLE");
 
     /// @dev The thirdweb contract with fee related information.
-    ITWFee internal immutable thirdwebFee;
+    ITWFee private immutable thirdwebFee;
 
     /// @dev Contract level metadata.
     string public contractURI;
@@ -185,6 +185,8 @@ contract DropERC20 is
         bytes32[] calldata _proofs,
         uint256 _proofMaxQuantityPerTransaction
     ) external payable nonReentrant {
+        require(isTrustedForwarder(msg.sender) || _msgSender() == tx.origin, "BOT");
+
         // Get the claim conditions.
         uint256 activeConditionId = getActiveClaimConditionId();
 

contracts/drop/DropERC721.sol

@@ -63,7 +63,7 @@ contract DropERC721 is
     uint256 private constant MAX_BPS = 10_000;
 
     /// @dev The thirdweb contract with fee related information.
-    ITWFee public immutable thirdwebFee;
+    ITWFee private immutable thirdwebFee;
 
     /// @dev Owner of the contract (purpose: OpenSea compatibility)
     address private _owner;
@@ -328,6 +328,8 @@ contract DropERC721 is
         bytes32[] calldata _proofs,
         uint256 _proofMaxQuantityPerTransaction
     ) external payable nonReentrant {
+        require(isTrustedForwarder(msg.sender) || _msgSender() == tx.origin, "BOT");
+
         uint256 tokenIdToClaim = nextTokenIdToClaim;
 
         // Get the claim conditions.

docs/DropERC1155.md

@@ -1008,23 +1008,6 @@ function symbol() external view returns (string)
 |---|---|---|
 | _0 | string | undefined
 
-### thirdwebFee
-
-```solidity
-function thirdwebFee() external view returns (contract ITWFee)
-```
-
-
-
-*The thirdweb contract with fee related information.*
-
-
-#### Returns
-
-| Name | Type | Description |
-|---|---|---|
-| _0 | contract ITWFee | undefined
-
 ### totalSupply
 
 ```solidity

docs/DropERC721.md

@@ -1080,23 +1080,6 @@ function symbol() external view returns (string)
 |---|---|---|
 | _0 | string | undefined
 
-### thirdwebFee
-
-```solidity
-function thirdwebFee() external view returns (contract ITWFee)
-```
-
-
-
-*The thirdweb contract with fee related information.*
-
-
-#### Returns
-
-| Name | Type | Description |
-|---|---|---|
-| _0 | contract ITWFee | undefined
-
 ### tokenByIndex
 
 ```solidity

scripts/addImplementation.ts

@@ -0,0 +1,39 @@
+import { ethers } from "hardhat";
+
+import { SignerWithAddress } from "@nomiclabs/hardhat-ethers/signers";
+import { TWFactory } from "typechain/TWFactory";
+
+async function main() {
+
+    const [caller]: SignerWithAddress[] = await ethers.getSigners();
+
+    console.log("\nCaller address: ", caller.address);
+
+    const twFactoryAddress: string = ethers.constants.AddressZero; // replace
+    const twFactory: TWFactory = await ethers.getContractAt("TWFactory", twFactoryAddress);
+
+    const hasFactoryRole = await twFactory.hasRole(
+        ethers.utils.solidityKeccak256(["string"], ["FACTORY_ROLE"]),
+        caller.address
+    )
+    if(!hasFactoryRole) {
+        throw new Error("Caller does not have FACTORY_ROLE on new factory");
+    }
+
+    const implementations: string[] = []; // replace
+    const data = implementations.map((impl) => twFactory.interface.encodeFunctionData("addImplementation", [impl]));
+
+    const tx = await twFactory.multicall(data);
+    console.log("Adding implementations: ", tx.hash);
+
+    await tx.wait();
+
+    console.log("Done.");
+}
+
+main()
+    .then(() => process.exit(0))
+    .catch((e) => {
+        console.error(e)
+        process.exit(1)
+    })

scripts/transferBalance.ts

@@ -10,11 +10,12 @@ async function main() {
     console.log(`\nTransferring balance from ${caller.address} to ${receiver}`);
 
     const balance = await ethers.provider.getBalance(caller.address);
-    const cost = ethers.utils.parseUnits("300", "gwei").mul(21_000);
+    const gasPrice = ethers.utils.parseUnits("0", "gwei"); // replace
+    const cost = gasPrice.mul(21_000);
 
     const tx = await caller.sendTransaction({
         to: receiver,
-        gasPrice: ethers.utils.parseUnits("300", "gwei"),
+        gasPrice: gasPrice,
         value: balance.sub(cost)
     });
     console.log("Transferring balance: ", tx.hash);

src/test/drop/DropERC721.t.sol

@@ -6,7 +6,54 @@ import "contracts/drop/DropERC721.sol";
 // Test imports
 import "../utils/BaseTest.sol";
 
-contract BaseDropERC721Test is BaseTest {
+contract SubExploitContract is ERC721Holder, ERC1155Holder {
+    DropERC721 internal drop;
+    address payable internal master;
+
+    constructor(address _drop) {
+        drop = DropERC721(_drop);
+        master = payable(msg.sender);
+    }
+
+    /// @dev Lets an account claim NFTs.
+    function claimDrop(
+        address _receiver,
+        uint256 _quantity,
+        address _currency,
+        uint256 _pricePerToken,
+        bytes32[] calldata _proofs,
+        uint256 _proofMaxQuantityPerTransaction
+    ) external {
+        drop.claim(_receiver, _quantity, _currency, _pricePerToken, _proofs, _proofMaxQuantityPerTransaction);
+
+        selfdestruct(master);
+    }
+}
+
+contract MasterExploitContract is ERC721Holder, ERC1155Holder {
+    address internal drop;
+
+    constructor(address _drop) {
+        drop = _drop;
+    }
+
+    /// @dev Lets an account claim NFTs.
+    function performExploit(
+        address _receiver,
+        uint256 _quantity,
+        address _currency,
+        uint256 _pricePerToken,
+        bytes32[] calldata _proofs,
+        uint256 _proofMaxQuantityPerTransaction
+    ) external {
+        for (uint256 i = 0; i < 100; i++) {
+            SubExploitContract sub = new SubExploitContract(address(drop));
+            sub.claimDrop(_receiver, _quantity, _currency, _pricePerToken, _proofs, _proofMaxQuantityPerTransaction);
+        }
+    }
+}
+
+contract DropERC721Test is BaseTest {
     DropERC721 public drop;
 
     function setUp() public override {
@@ -99,7 +146,6 @@ contract BaseDropERC721Test is BaseTest {
     }
 
     function test_claimCondition_waitTimeInSecondsBetweenClaims() public {
-        vm.startPrank(deployer);
         vm.warp(1);
 
         address receiver = getActor(0);
@@ -110,16 +156,20 @@ contract BaseDropERC721Test is BaseTest {
         conditions[0].quantityLimitPerTransaction = 100;
         conditions[0].waitTimeInSecondsBetweenClaims = type(uint256).max;
 
+        vm.prank(deployer);
         drop.lazyMint(100, "ipfs://", bytes(""));
+        vm.prank(deployer);
         drop.setClaimConditions(conditions, false);
+
+        vm.prank(getActor(5), getActor(5));
         drop.claim(receiver, 1, address(0), 0, proofs, 0);
 
         vm.expectRevert("cannot claim.");
+        vm.prank(getActor(5), getActor(5));
         drop.claim(receiver, 1, address(0), 0, proofs, 0);
     }
 
     function test_claimCondition_resetEligibility_waitTimeInSecondsBetweenClaims() public {
-        vm.startPrank(deployer);
         vm.warp(1);
 
         address receiver = getActor(0);
@@ -130,12 +180,47 @@ contract BaseDropERC721Test is BaseTest {
         conditions[0].quantityLimitPerTransaction = 100;
         conditions[0].waitTimeInSecondsBetweenClaims = type(uint256).max;
 
+        vm.prank(deployer);
         drop.lazyMint(100, "ipfs://", bytes(""));
 
+        vm.prank(deployer);
         drop.setClaimConditions(conditions, false);
+
+        vm.prank(getActor(5), getActor(5));
         drop.claim(receiver, 1, address(0), 0, proofs, 0);
 
+        vm.prank(deployer);
         drop.setClaimConditions(conditions, true);
+
+        vm.prank(getActor(5), getActor(5));
         drop.claim(receiver, 1, address(0), 0, proofs, 0);
     }
+
+    function test_multiple_claim_exploit() public {
+        MasterExploitContract masterExploit = new MasterExploitContract(address(drop));
+
+        DropERC721.ClaimCondition[] memory conditions = new DropERC721.ClaimCondition[](1);
+        conditions[0].maxClaimableSupply = 100;
+        conditions[0].quantityLimitPerTransaction = 1;
+        conditions[0].waitTimeInSecondsBetweenClaims = type(uint256).max;
+
+        vm.prank(deployer);
+        drop.lazyMint(100, "ipfs://", bytes(""));
+
+        vm.prank(deployer);
+        drop.setClaimConditions(conditions, false);
+
+        bytes32[] memory proofs = new bytes32[](0);
+
+        vm.startPrank(getActor(5));
+        vm.expectRevert(bytes("BOT"));
+        masterExploit.performExploit(
+            address(masterExploit),
+            conditions[0].quantityLimitPerTransaction,
+            conditions[0].currency,
+            conditions[0].pricePerToken,
+            proofs,
+            0
+        );
+    }
 }