Phantasmagoria - Wrong check in mintPlayers() function allows mint more players

[sherlock-admin]

Phantasmagoria

medium

Wrong check in mintPlayers() function allows mint more players

Summary

Wrong check in mintPlayers() function allows mint more players

Vulnerability Detail

From the documentation, we can see that users should be able to mint 10 players.

maxGenerationId: The maximum integer generationId that can be used to mint
players. This is the number of players that can be minted per cohort. At game
launch this value will be 10.

However, the following check is incorrect, as it always allows minting 11 players instead of the intended 10.

if (generationId > _maxGenerationId) {
        revert GenerationIDTooHigh(generationId, _maxGenerationId);
}

generationIds is an array. Loop begin counting from 0

uint256 generationId;
for (uint256 i = 0; i < generationIds.length; ) {

Because of the first index in an array is zero the check will only revert when generationId is 11 allowing users to mint more players

Impact

User can mint more players than he should be

Code Snippet

if (generationId > _maxGenerationId) {
        revert GenerationIDTooHigh(generationId, _maxGenerationId);
}

https://github.com/sherlock-audit/2023-04-footium/blob/main/footium-eth-shareable/contracts/FootiumAcademy.sol#L186-L188

Tool used

Manual Review

Recommendation

Change generationId > _maxGenerationId to generationId >= _maxGenerationId

Duplicate of #152