Mint limit can be bypassed by reentrancy #1186
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1517
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/NextGenCore.sol#L189-L200
Vulnerability details
Impact
Checks-Effects-Interactions Pattern is not followed. Reentrancy is possible with
safeMint
and (allowlist or public) mint limit can be bypassed.Proof of Concept
As above,
tokensMintedAllowlistAddress
andtokensMintedPerAddress
is incremented after_mintProcessing
.Inside
_mintProcessing
,_safeMint
will callonERC721Received
of_recipient
, which makes reentrancy possible.Inside
mint
,_maxAllowance >= gencore.retrieveTokensMintedALPerAddress(col, _delegator) + _numberOfTokens
andgencore.retrieveTokensMintedPublicPerAddress(col, msg.sender) + _numberOfTokens <= gencore.viewMaxAllowance(col)
is checked before callinggencore.mint
, so attacker can reenterminter.mint
insideonERC721Received
to bypass the allowlist or public mint limit.Tools Used
Manual
Recommended Mitigation Steps
Assessed type
Reentrancy
The text was updated successfully, but these errors were encountered: