Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MinterContract.burnToMint FUNCTION DOES NOT CHECK WHETHER setMintingCosts IS SET FOR A SPECIFIC _mintCollectionID THUS ALLOWING FREE MINTS USING THE burnToMint FUNCTION #1866

Closed
c4-submissions opened this issue Nov 13, 2023 · 5 comments
Closed

MinterContract.burnToMint FUNCTION DOES NOT CHECK WHETHER setMintingCosts IS SET FOR A SPECIFIC _mintCollectionID THUS ALLOWING FREE MINTS USING THE burnToMint FUNCTION #1866

c4-submissions opened this issue Nov 13, 2023 · 5 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working primary issue Highest quality submission among a set of duplicates sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sufficient quality report This report is of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L197
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L329

Vulnerability details

Impact

In both the MinterContract.mint function and the MinterContract.burnOrSwapExternalToMint functions there is a check to ensure that the minting cost of the collection is set as shown below:

    require(setMintingCosts[_mintCollectionID] == true, "Set Minting Costs");

But the same check is not performed in the MinterContract.burnToMint function which is also used to mint a collection ERC721 token after burning a token of a NextGen collection. If the setMintingCosts is not set for the specific _mintCollectionID it means the MinterContract.setCollectionCosts is not called thus the parameters such as collectionPhases[_collectionID].collectionMintCost,collectionPhases[_collectionID].collectionEndMintCost and collectionPhases[_collectionID].rate have 0 as their respective values.

As a result the getPrice(_mintCollectionID) function call inside the burnToMint function will return 0 if the setCollectionCosts is not set for the specific _mintCollectionID. As a result the following require statement will pass even for msg.value == 0.

    require(msg.value >= getPrice(_mintCollectionID), "Wrong ETH");

Hence the burnToMint function can be called by anyone (since there is no access control) to mint ERC721 tokens without paying the underlying native tokens for the mint if the setCollectionCosts is not set for the specific _mintCollectionID.

Hence any address with the approval to burn the tokenId or the owner of the burning tokenId can mint any other NextGen collection token (with specific _mintCollectionID) without paying the underlying mint cost given that the setMintingCosts is not set for that specific _mintCollectionID.

Proof of Concept

        require(setMintingCosts[_collectionID] == true, "Set Minting Costs");

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L197

        require(setMintingCosts[_mintCollectionID] == true, "Set Minting Costs");

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L329

Tools Used

Manual Review and VSCode

Recommended Mitigation Steps

Hence it is recommended to check the setMintingCosts condition inside the MinterContract.burnToMint function by implementing the following require statement inside the burnToMint function as shown below:

function burnToMint(uint256 _burnCollectionID, uint256 _tokenId, uint256 _mintCollectionID, uint256 _saltfun_o) public payable { 
    require(setMintingCosts[_mintCollectionID] == true, "Set Minting Costs");

The above modification ensures that the setMintingCosts is set for the specific _mintCollectionID before minting of a new tokenId takes place. If the setMintingCosts is not set the transaction will revert not allowing any user to mint the ERC721 token for free.

Assessed type

Other
@c4-submissions c4-submissions added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Nov 13, 2023
c4-submissions added a commit that referenced this issue Nov 13, 2023
@c4-submissions
Udsen issue #1866
cb297ea
@c4-pre-sort
Copy link

141345 marked the issue as primary issue

@c4-pre-sort c4-pre-sort added the primary issue Highest quality submission among a set of duplicates label Nov 16, 2023
@c4-pre-sort c4-pre-sort mentioned this issue Nov 16, 2023
Closed
@c4-sponsor
Copy link

a2rocket (sponsor) confirmed

@c4-sponsor c4-sponsor added the sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") label Nov 24, 2023
@c4-pre-sort
Copy link

141345 marked the issue as sufficient quality report

@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Nov 27, 2023
This was referenced Dec 4, 2023
Closed
Closed
@alex-ppg
Copy link

alex-ppg commented Dec 7, 2023

The Warden specifies that a collection can be set up for the burnToMint execution path by a NextGen administrator via initializeBurn without having collection costs defined.

The Sponsor has confirmed this submission, however, the code does not function as the Warden describes.

The burnToMint function relies on a collection's phases having been properly set up as observed here.

To specify a collection's phases, the collection costs are mandated to have been defined. As such, this submission is invalid.

@c4-judge c4-judge closed this as completed Dec 7, 2023
@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Dec 7, 2023
@c4-judge
Copy link

c4-judge commented Dec 7, 2023

alex-ppg marked the issue as unsatisfactory:
Invalid

@alex-ppg alex-ppg mentioned this issue Dec 8, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working primary issue Highest quality submission among a set of duplicates sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") sufficient quality report This report is of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@alex-ppg @c4-judge @c4-sponsor @c4-pre-sort @c4-submissions