MinterContract.burnToMint lacks of check setMintingCosts

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/MinterContract.sol#L258-L272
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/MinterContract.sol#L196-L254
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/MinterContract.sol#L326-L365

Vulnerability details

Impact

While MinterContract.getPrice is called by MinterContract.mint, before the call, the function will check setMintingCosts to make sure the minting cost has been set.
Same thing happens to MinterContract.burnOrSwapExternalToMint, before calling MinterContract.getPrice, setMintingCosts is also checked.
But for MinterContract.burnToMint, the function doesn't check setMintingCosts for _mintCollectionID, without this check, if the minting cost hasn't be set, the user can mint _mintCollectionID token free

Proof of Concept

MinterContract.burnToMint:

258     function burnToMint(uint256 _burnCollectionID, uint256 _tokenId, uint256 _mintCollectionID, uint256 _saltfun_o) public payable {
259         require(burnToMintCollections[_burnCollectionID][_mintCollectionID] == true, "Initialize burn");
260         require(block.timestamp >= collectionPhases[_mintCollectionID].publicStartTime && block.timestamp<=collectionPhases[_mintCollectionID].publicEndTime,"No minting");
261         require ((_tokenId >= gencore.viewTokensIndexMin(_burnCollectionID)) && (_tokenId <= gencore.viewTokensIndexMax(_burnCollectionID)), "col/token id error");
262         // minting new token
263         uint256 collectionTokenMintIndex;
264         collectionTokenMintIndex = gencore.viewTokensIndexMin(_mintCollectionID) + gencore.viewCirSupply(_mintCollectionID);
265         require(collectionTokenMintIndex <= gencore.viewTokensIndexMax(_mintCollectionID), "No supply");
266         require(msg.value >= getPrice(_mintCollectionID), "Wrong ETH");
267         uint256 mintIndex = gencore.viewTokensIndexMin(_mintCollectionID) + gencore.viewCirSupply(_mintCollectionID);
268         // burn and mint token
269         address burner = msg.sender;
270         gencore.burnToMint(mintIndex, _burnCollectionID, _tokenId, _mintCollectionID, _saltfun_o, burner);
271         collectionTotalAmount[_mintCollectionID] = collectionTotalAmount[_mintCollectionID] + msg.value;
272     }

Tools Used

VIM

Recommended Mitigation Steps

diff --git a/hardhat/smart-contracts/MinterContract.sol b/hardhat/smart-contracts/MinterContract.sol
index df50841..9fa3cd9 100644
--- a/hardhat/smart-contracts/MinterContract.sol
+++ b/hardhat/smart-contracts/MinterContract.sol
@@ -256,6 +256,7 @@ contract NextGenMinterContract is Ownable {
     // burn to mint function (does not require contract approval)
 
     function burnToMint(uint256 _burnCollectionID, uint256 _tokenId, uint256 _mintCollectionID, uint256 _saltfun_o) public payable {
+        require(setMintingCosts[_collectionID] == true, "Set Minting Costs");
         require(burnToMintCollections[_burnCollectionID][_mintCollectionID] == true, "Initialize burn");
         require(block.timestamp >= collectionPhases[_mintCollectionID].publicStartTime && block.timestamp<=collectionPhases[_mintCollectionID].publicEndTime,"No minting");
         require ((_tokenId >= gencore.viewTokensIndexMin(_burnCollectionID)) && (_tokenId <= gencore.viewTokensIndexMax(_burnCollectionID)), "col/token id error");
@@ -567,4 +568,4 @@ contract NextGenMinterContract is Ownable {
         }
     }
 
-}
\ No newline at end of file
+}

Assessed type

Other

[c4-pre-sort]

141345 marked the issue as duplicate of #478

[c4-judge]

alex-ppg marked the issue as not a duplicate

[c4-judge]

alex-ppg marked the issue as primary issue

[c4-judge]

alex-ppg marked the issue as duplicate of #1866

[c4-judge]

alex-ppg marked the issue as unsatisfactory:
Invalid