Users can mint more tokens compared to what its allowed to mint #1859
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1517
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/MinterContract.sol#L234-L237
Vulnerability details
Impact
An allowlist address can mint more tokens than what it is allowed to mint and any address during the public phase can mint more tokens compared to what its allowed to mint (maxCollectionPurchases) due to reentrancy into the
NextGenMinterContract.mint
function.Proof of Concept
Suppose a user is allowed to mint 3 tokens. Then the user calls the
NextGenMinterContract.mint
function with_numberOfTokens
equals 3. When the protocol makes theonERC721Received
invoke from the_safeMint
the user reenters into theNextGenMinterContract.mint
function with_numberOfTokens
equals 2 and on the next step 1. The condition will be true for every call:https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/MinterContract.sol#L213
After the last reentrance call is executed the previous call continues minting remaining tokens in the loop:
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/MinterContract.sol#L234-L237
This way the user receives 6 tokens instead of allowed 3.
The same attack can be provided to mint more tokens during the public phase.
Tools Used
Manual review
Recommended Mitigation Steps
Consider using the
nonReentrant
modifier to prevent reentrancy in themint
function.Assessed type
Reentrancy
The text was updated successfully, but these errors were encountered: