Unlimited minting. #1828
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1517
partial-25
Incomplete articulation of vulnerability; eligible for partial credit only (25%)
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/MinterContract.sol#L196
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/MinterContract.sol#L258
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/NextGenCore.sol#L193
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/NextGenCore.sol#L231
Vulnerability details
Impact
The number of mints is set, but the number of mints can be exceeded.
Proof of Concept
In the
gncore.mint
function, the number of mints is managed bytokensMintedPerAddress
andtokensMintedAllowlistAddress
, but_safeMint
is invoked before updating them. Therefore, when re-entry is performed, any number of mints can be made.Tools Used
Manual
Recommended Mitigation Steps
Update the state and then call _safeMint. Or make it a normal mint instead of safe.
Assessed type
Reentrancy
The text was updated successfully, but these errors were encountered: