-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NextGenMinterContract.mint
suffers reentrancy attack
#1694
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1517
satisfactory
satisfies C4 submission criteria; eligible for awards
Comments
c4-submissions
added
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
labels
Nov 13, 2023
141345 marked the issue as duplicate of #51 |
141345 marked the issue as duplicate of #1742 |
c4-judge
added
duplicate-1517
satisfactory
satisfies C4 submission criteria; eligible for awards
and removed
duplicate-1742
labels
Dec 4, 2023
alex-ppg marked the issue as satisfactory |
alex-ppg marked the issue as partial-50 |
c4-judge
added
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
and removed
satisfactory
satisfies C4 submission criteria; eligible for awards
labels
Dec 8, 2023
alex-ppg marked the issue as satisfactory |
c4-judge
added
satisfactory
satisfies C4 submission criteria; eligible for awards
and removed
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
labels
Dec 8, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1517
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L213
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L217
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L224
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L193
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L231
Vulnerability details
Impact
When
NextGenMinterContract.mint
is called. It would ensure that the users cannot mint tokens more than max allowance. However, there is a reentrancy bug inNextGenCore.mint
. The max allowance can be easily bypassed.Proof of Concept
In
NextGenMinterContract.mint
, it would check_maxAllowance >= gencore.retrieveTokensMintedALPerAddress(col, msg.sender) + _numberOfTokens
in the allowlist phase. And it checksgencore.retrieveTokensMintedPublicPerAddress(col, msg.sender) + _numberOfTokens <= gencore.viewMaxAllowance(col)
in the public phase.https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L213
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L217
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L224
The problem is that
tokensMintedAllowlistAddress
andtokensMintedPerAddress
are updated ingencore.mint
after_mintProcessing
.https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L193
And
_mintProcessing
calls_safeMint
._safeMint
calls_checkOnERC721Received
. It provides a chance to do a reentrancy attack. AndNextGenCore.mint
doesn’t follow the CEI(Checks-Effects-Interactions) pattern.https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L231
Since
tokensMintedAllowlistAddress
andtokensMintedPerAddress
are updated after_mintProcessing
. A malicious user can easily do a reentrancy attack to bypass the max allowance and mint as much token as possible.Tools Used
Manual Review
Recommended Mitigation Steps
Add reentrancy guard or implement the CEI(Checks-Effects-Interactions) pattern in
NextGenCore.mint
Assessed type
Reentrancy
The text was updated successfully, but these errors were encountered: