Open edition macro audit fixes (#397)

nkrishang · web-flow · commit b3544ec63d5c · 2023-06-01T13:06:12.000-04:00
* rename account factory callbacks

* Fix [M-1] Native token can get locked in OpenEditionERC721

* Fix [Q-1, Q-2]

* pkg update
diff --git a/contracts/OpenEditionERC721.sol b/contracts/OpenEditionERC721.sol
@@ -32,7 +32,6 @@ import "./extension/PlatformFee.sol";
 import "./extension/Royalty.sol";
 import "./extension/PrimarySale.sol";
 import "./extension/Ownable.sol";
-import "./extension/DelayedReveal.sol";
 import "./extension/SharedMetadata.sol";
 import "./extension/PermissionsEnumerable.sol";
 import "./extension/Drop.sol";
@@ -63,7 +62,7 @@ contract OpenEditionERC721 is
 
     /// @dev Only transfers to or from TRANSFER_ROLE holders are valid, when transfers are restricted.
     bytes32 private transferRole;
-    /// @dev Only MINTER_ROLE holders can sign off on `MintRequest`s and lazy mint tokens.
+    /// @dev Only MINTER_ROLE holders can update the shared metadata of tokens.
     bytes32 private minterRole;
 
     /// @dev Max bps in the thirdweb system.
@@ -158,13 +157,16 @@ contract OpenEditionERC721 is
         }
 
         uint256 totalPrice = _quantityToClaim * _pricePerToken;
-        address saleRecipient = _primarySaleRecipient == address(0) ? primarySaleRecipient() : _primarySaleRecipient;
 
+        bool validMsgValue;
         if (_currency == CurrencyTransferLib.NATIVE_TOKEN) {
-            if (msg.value != totalPrice) {
-                revert("!Price");
-            }
+            validMsgValue = msg.value == totalPrice;
+        } else {
+            validMsgValue = msg.value == 0;
         }
+        require(validMsgValue, "!V");
+
+        address saleRecipient = _primarySaleRecipient == address(0) ? primarySaleRecipient() : _primarySaleRecipient;
 
         uint256 fees;
         address feeRecipient;
@@ -178,7 +180,7 @@ contract OpenEditionERC721 is
             fees = (totalPrice * platformFeeBps) / MAX_BPS;
         }
 
-        require(totalPrice >= fees, "Price < fees");
+        require(totalPrice >= fees, "!F");
 
         CurrencyTransferLib.transferCurrency(_currency, _msgSender(), feeRecipient, fees);
         CurrencyTransferLib.transferCurrency(_currency, _msgSender(), saleRecipient, totalPrice - fees);
@@ -224,7 +226,7 @@ contract OpenEditionERC721 is
         return hasRole(DEFAULT_ADMIN_ROLE, _msgSender());
     }
 
-    /// @dev Returns whether lazy minting can be done in the given execution context.
+    /// @dev Returns whether the shared metadata of tokens can be set in the given execution context.
     function _canSetSharedMetadata() internal view virtual override returns (bool) {
         return hasRole(minterRole, _msgSender());
     }
diff --git a/contracts/package.json b/contracts/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@thirdweb-dev/contracts",
   "description": "Collection of smart contracts deployable via the thirdweb SDK, dashboard and CLI",
-  "version": "3.5.5",
+  "version": "3.5.6",
   "license": "Apache-2.0",
   "repository": {
     "type": "git",

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@thirdweb-dev/contracts",`
`3`	`3`	`"description": "Collection of smart contracts deployable via the thirdweb SDK, dashboard and CLI",`
`4`		`- "version": "3.5.5",`
	`4`	`+ "version": "3.5.6",`
`5`	`5`	`"license": "Apache-2.0",`
`6`	`6`	`"repository": {`
`7`	`7`	`"type": "git",`