fix claim quantity limit

Author: kumaryash90

contracts/drop/DropERC1155.sol

@@ -290,8 +290,12 @@ contract DropERC1155 is
             _proofMaxQuantityPerTransaction
         );
 
+        // ClaimCondition memory currentClaimPhase = claimCondition[_tokenId].phases[activeConditionId];
+
         // Verify claim validity. If not valid, revert.
-        bool toVerifyMaxQuantityPerTransaction = _proofMaxQuantityPerTransaction == 0;
+        // when there's allowlist present --> verifyClaimMerkleProof will verify the _proofMaxQuantityPerTransaction value with hashed leaf in the allowlist
+        // when there's no allowlist, this check is true --> verifyClaim will check for _quantity being less/equal than the limit
+        bool toVerifyMaxQuantityPerTransaction = _proofMaxQuantityPerTransaction == 0 || claimCondition[_tokenId].phases[activeConditionId].merkleRoot == bytes32(0);
         verifyClaim(
             activeConditionId,
             _msgSender(),

contracts/drop/DropERC20.sol

@@ -209,8 +209,12 @@ contract DropERC20 is
             _proofMaxQuantityPerTransaction
         );
 
+        // ClaimCondition memory currentClaimPhase = claimCondition.phases[activeConditionId];
+
         // Verify claim validity. If not valid, revert.
-        bool toVerifyMaxQuantityPerTransaction = _proofMaxQuantityPerTransaction == 0;
+        // when there's allowlist present --> verifyClaimMerkleProof will verify the _proofMaxQuantityPerTransaction value with hashed leaf in the allowlist
+        // when there's no allowlist, this check is true --> verifyClaim will check for _quantity being less/equal than the limit
+        bool toVerifyMaxQuantityPerTransaction = _proofMaxQuantityPerTransaction == 0 || claimCondition.phases[activeConditionId].merkleRoot == bytes32(0);
         verifyClaim(
             activeConditionId,
             _msgSender(),

contracts/drop/DropERC721.sol

@@ -353,8 +353,12 @@ contract DropERC721 is
             _proofMaxQuantityPerTransaction
         );
 
+        // ClaimCondition memory currentClaimPhase = claimCondition.phases[activeConditionId];
+
         // Verify claim validity. If not valid, revert.
-        bool toVerifyMaxQuantityPerTransaction = _proofMaxQuantityPerTransaction == 0;
+        // when there's allowlist present --> verifyClaimMerkleProof will verify the _proofMaxQuantityPerTransaction value with hashed leaf in the allowlist
+        // when there's no allowlist, this check is true --> verifyClaim will check for _quantity being less/equal than the limit
+        bool toVerifyMaxQuantityPerTransaction = _proofMaxQuantityPerTransaction == 0 || claimCondition.phases[activeConditionId].merkleRoot == bytes32(0);
         verifyClaim(
             activeConditionId,
             _msgSender(),

foundry.toml

@@ -23,7 +23,7 @@ src = 'contracts'
 test = 'src/test'
 verbosity = 0
 #ignored_error_codes = []
-#fuzz_runs = 256
+fuzz_runs = 100
 #ffi = false
 #sender = '0x00a329c0648769a73afac7f9381e08fb43dbea72'
 #tx_origin = '0x00a329c0648769a73afac7f9381e08fb43dbea72'

lib/forge-std

@@ -0,0 +1,49 @@
+// SPDX-License-Identifier: Apache-2.0
+pragma solidity ^0.8.0;
+
+import "contracts/drop/DropERC1155.sol";
+
+// Test imports
+import "../utils/BaseTest.sol";
+
+contract DropERC1155Test is BaseTest {
+    DropERC1155 public drop;
+
+    function setUp() public override {
+        super.setUp();
+        drop = DropERC1155(getContract("DropERC1155"));
+    }
+
+    /*///////////////////////////////////////////////////////////////
+                                Miscellaneous
+    //////////////////////////////////////////////////////////////*/
+
+    function test_revert_claim_claimQty() public {
+        vm.warp(1);
+
+        address receiver = getActor(0);
+        bytes32[] memory proofs = new bytes32[](0);
+
+        DropERC1155.ClaimCondition[] memory conditions = new DropERC1155.ClaimCondition[](1);
+        conditions[0].maxClaimableSupply = 500;
+        conditions[0].quantityLimitPerTransaction = 100;
+        conditions[0].waitTimeInSecondsBetweenClaims = type(uint256).max;
+
+        vm.prank(deployer);
+        drop.lazyMint(500, "ipfs://");
+
+        vm.prank(deployer);
+        drop.setClaimConditions(0, conditions, false);
+
+        vm.prank(getActor(5), getActor(5));
+        vm.expectRevert("invalid quantity claimed.");
+        drop.claim(receiver, 0, 200, address(0), 0, proofs, 2);
+
+        vm.prank(deployer);
+        drop.setClaimConditions(0, conditions, true);
+
+        vm.prank(getActor(5), getActor(5));
+        vm.expectRevert("invalid quantity claimed.");
+        drop.claim(receiver, 0, 200, address(0), 0, proofs, 1);
+    }
+}

src/test/drop/DropERC1155.t.sol

@@ -0,0 +1,49 @@
+// SPDX-License-Identifier: Apache-2.0
+pragma solidity ^0.8.0;
+
+import "contracts/drop/DropERC20.sol";
+
+// Test imports
+import "../utils/BaseTest.sol";
+
+contract DropERC20Test is BaseTest {
+    DropERC20 public drop;
+
+    function setUp() public override {
+        super.setUp();
+        drop = DropERC20(getContract("DropERC20"));
+    }
+
+    /*///////////////////////////////////////////////////////////////
+                                Miscellaneous
+    //////////////////////////////////////////////////////////////*/
+
+    function test_revert_claim_claimQty() public {
+        vm.warp(1);
+
+        address receiver = getActor(0);
+        bytes32[] memory proofs = new bytes32[](0);
+
+        DropERC20.ClaimCondition[] memory conditions = new DropERC1155.ClaimCondition[](1);
+        conditions[0].maxClaimableSupply = 500;
+        conditions[0].quantityLimitPerTransaction = 100;
+        conditions[0].waitTimeInSecondsBetweenClaims = type(uint256).max;
+
+        // vm.prank(deployer);
+        // drop.setMaxTotalSupply(10_000);
+
+        vm.prank(deployer);
+        drop.setClaimConditions(conditions, false);
+
+        vm.prank(getActor(5), getActor(5));
+        vm.expectRevert("invalid quantity claimed.");
+        drop.claim(receiver, 200, address(0), 0, proofs, 1);
+
+        vm.prank(deployer);
+        drop.setClaimConditions(conditions, true);
+
+        vm.prank(getActor(5), getActor(5));
+        vm.expectRevert("invalid quantity claimed.");
+        drop.claim(receiver, 200, address(0), 0, proofs, 1);
+    }
+}

src/test/drop/DropERC20.t.sol

@@ -2,13 +2,15 @@
 pragma solidity ^0.8.0;
 
 import "contracts/drop/DropERC721.sol";
+import "@openzeppelin/contracts/utils/Strings.sol";
 
 // Test imports
 import "../utils/BaseTest.sol";
 
 contract SubExploitContract is ERC721Holder, ERC1155Holder {
     DropERC721 internal drop;
     address payable internal master;
+    // using Strings for uint256;
 
     constructor(address _drop) {
         drop = DropERC721(_drop);
@@ -223,4 +225,123 @@ contract DropERC721Test is BaseTest {
             0
         );
     }
+
+    /*///////////////////////////////////////////////////////////////
+                                Miscellaneous
+    //////////////////////////////////////////////////////////////*/
+
+    function test_revert_claim_claimQty(uint256 x) public {
+        vm.assume(x != 0);
+        vm.warp(1);
+
+        address receiver = getActor(0);
+        bytes32[] memory proofs = new bytes32[](0);
+
+        DropERC721.ClaimCondition[] memory conditions = new DropERC721.ClaimCondition[](1);
+        conditions[0].maxClaimableSupply = 500;
+        conditions[0].quantityLimitPerTransaction = 100;
+        conditions[0].waitTimeInSecondsBetweenClaims = type(uint256).max;
+
+        vm.prank(deployer);
+        drop.lazyMint(500, "ipfs://", bytes(""));
+
+        vm.prank(deployer);
+        drop.setClaimConditions(conditions, false);
+
+        vm.prank(getActor(5), getActor(5));
+        vm.expectRevert("invalid quantity.");
+        drop.claim(receiver, 200, address(0), 0, proofs, x);
+
+        vm.prank(deployer);
+        drop.setClaimConditions(conditions, true);
+
+        vm.prank(getActor(5), getActor(5));
+        vm.expectRevert("invalid quantity.");
+        drop.claim(receiver, 200, address(0), 0, proofs, x);
+    }
+
+    function test_claimCondition_merkleProof(uint256 x) public {
+        vm.assume(x != 0 && x < 500);
+        string[] memory inputs = new string[](3);
+
+        inputs[0] = "node";
+        inputs[1] = "src/test/scripts/generateRoot.ts";
+        inputs[2] = Strings.toString(x);
+        
+        bytes memory result = vm.ffi(inputs);
+        // revert();
+        bytes32 root = abi.decode(result, (bytes32));
+        
+        inputs[1] = "src/test/scripts/getProof.ts";
+        result = vm.ffi(inputs);
+        bytes32[] memory proofs = abi.decode(result, (bytes32[]));
+        
+        vm.warp(1);
+
+        address receiver = address(0x92Bb439374a091c7507bE100183d8D1Ed2c9dAD3);
+
+        // bytes32[] memory proofs = new bytes32[](0);
+
+        DropERC721.ClaimCondition[] memory conditions = new DropERC721.ClaimCondition[](1);
+        conditions[0].maxClaimableSupply = x;
+        conditions[0].quantityLimitPerTransaction = 100;
+        conditions[0].waitTimeInSecondsBetweenClaims = type(uint256).max;
+        conditions[0].merkleRoot = root;
+
+        vm.prank(deployer);
+        drop.lazyMint(x, "ipfs://", "");
+        vm.prank(deployer);
+        drop.setClaimConditions(conditions, false);
+
+        // vm.prank(getActor(5), getActor(5));
+        vm.prank(receiver, receiver);
+        drop.claim(receiver, x, address(0), 0, proofs, x);
+
+        vm.prank(address(4), address(4));
+        vm.expectRevert("not in whitelist.");
+        drop.claim(receiver, x, address(0), 0, proofs, x);
+    }
+
+    function testFail_claimCondition_merkleProof(uint256 x, uint256 y) public {
+        vm.assume(x != 0 && x < 500);
+        vm.assume(x != y);
+        string[] memory inputs = new string[](3);
+
+        inputs[0] = "node";
+        inputs[1] = "src/test/scripts/generateRoot.ts";
+        inputs[2] = Strings.toString(x);
+        
+        bytes memory result = vm.ffi(inputs);
+        // revert();
+        bytes32 root = abi.decode(result, (bytes32));
+        
+        inputs[1] = "src/test/scripts/getProof.ts";
+        result = vm.ffi(inputs);
+        bytes32[] memory proofs = abi.decode(result, (bytes32[]));
+        
+        vm.warp(1);
+
+        address receiver = address(0x92Bb439374a091c7507bE100183d8D1Ed2c9dAD3);
+
+        // bytes32[] memory proofs = new bytes32[](0);
+
+        DropERC721.ClaimCondition[] memory conditions = new DropERC721.ClaimCondition[](1);
+        conditions[0].maxClaimableSupply = x;
+        conditions[0].quantityLimitPerTransaction = 100;
+        conditions[0].waitTimeInSecondsBetweenClaims = type(uint256).max;
+        conditions[0].merkleRoot = root;
+
+        vm.prank(deployer);
+        drop.lazyMint(x, "ipfs://", "");
+        vm.prank(deployer);
+        drop.setClaimConditions(conditions, false);
+
+        // vm.prank(getActor(5), getActor(5));
+        vm.prank(receiver, receiver);
+        drop.claim(receiver, x, address(0), 0, proofs, y);
+
+        vm.prank(address(4), address(4));
+        vm.expectRevert("not in whitelist.");
+        drop.claim(receiver, x, address(0), 0, proofs, y);
+    }
 }

src/test/drop/DropERC721.t.sol

@@ -2,13 +2,17 @@ const { MerkleTree } = require("merkletreejs");
 const keccak256 = require("keccak256");
 const { ethers } = require("ethers");
 
+const process = require('process');
+
 const members = [
   "0x92Bb439374a091c7507bE100183d8D1Ed2c9dAD3",
   "0xD0d82c095d184e6E2c8B72689c9171DE59FFd28d",
   "0xFD78F7E2dF2B8c3D5bff0413c96f3237500898B3",
 ];
 
-const hashedLeafs = members.map(l => ethers.utils.solidityKeccak256(["address", "uint256"], [l, 0]));
+let val = process.argv[2];
+
+const hashedLeafs = members.map(l => ethers.utils.solidityKeccak256(["address", "uint256"], [l, val]));
 
 const tree = new MerkleTree(hashedLeafs, keccak256, {
   sort: true,

src/test/scripts/generateRoot.ts

@@ -2,20 +2,24 @@ const { MerkleTree } = require("merkletreejs");
 const keccak256 = require("keccak256");
 const { ethers } = require("ethers");
 
+const process = require('process');
+
 const members = [
   "0x92Bb439374a091c7507bE100183d8D1Ed2c9dAD3",
   "0xD0d82c095d184e6E2c8B72689c9171DE59FFd28d",
   "0xFD78F7E2dF2B8c3D5bff0413c96f3237500898B3",
 ];
 
-const hashedLeafs = members.map(l => ethers.utils.solidityKeccak256(["address", "uint256"], [l, 0]));
+let val = process.argv[2];
+
+const hashedLeafs = members.map(l => ethers.utils.solidityKeccak256(["address", "uint256"], [l, val]));
 
 const tree = new MerkleTree(hashedLeafs, keccak256, {
   sort: true,
   sortLeaves: true,
   sortPairs: true,
 });
 
-const expectedProof = tree.getHexProof(ethers.utils.solidityKeccak256(["address", "uint256"], [members[0], 0]));
+const expectedProof = tree.getHexProof(ethers.utils.solidityKeccak256(["address", "uint256"], [members[0], val]));
 
 process.stdout.write(ethers.utils.defaultAbiCoder.encode(["bytes32[]"], [expectedProof]));