Artist address can be changed once the artist has called the artistSignature() function #159
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-741
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L147-L166
Vulnerability details
Impact
Medium impact
Bug explanation
In the
NextGenCore
contract, inside thecollectionAdditonalDataStructure
struct, there is the addres of the collection artist. This address is intended to be set and when the artist callsartistSignature()
, this data gets locked and can not be changed anymore. However there is a way to change the artist address once theartistSiganture()
has been executed.This bug happens when the function
setCollectionData
is set the first time. If the artist address is set together withcollectionTotalSupply
equal to 0 it is possible for the collection creator to change the artist address once he have calledartistSignature()
because thecollectionTotalSupply
is equal to zero and the first branch of thesetCollectionData
will be triggered again. See https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L149-L157.Proof of Concept
The following test demonstrates how this bug can be triggered. The situation shows a case where the collection creator can sign himself the collection and then change the artist address to a reputated artist to fake that the collection has been designed by this reputated artist.
The traces are the following:
Tools Used
Manual review
Recommended Mitigation Steps
Change the condition to enter the first branch of the function
setCollectionData
from:to
Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: