-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The reentrancy vulnerability in NextGenCore can allow an attacker to manipulate minting execution #2039
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
duplicate-1517
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Comments
thebrittfactor
added
the
3 (High Risk)
Assets can be stolen/lost/compromised directly
label
Nov 13, 2023
For transparency, due to submission issues, the warden provided this submission prior to audit close. |
141345 marked the issue as primary issue |
c4-pre-sort
added
the
primary issue
Highest quality submission among a set of duplicates
label
Nov 14, 2023
This was referenced Nov 14, 2023
c4-pre-sort
removed
the
primary issue
Highest quality submission among a set of duplicates
label
Nov 16, 2023
141345 marked the issue as duplicate of #51 |
141345 marked the issue as duplicate of #1742 |
alex-ppg marked the issue as satisfactory |
c4-judge
added
the
satisfactory
satisfies C4 submission criteria; eligible for awards
label
Dec 8, 2023
alex-ppg marked the issue as partial-50 |
c4-judge
added
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
and removed
satisfactory
satisfies C4 submission criteria; eligible for awards
labels
Dec 8, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
duplicate-1517
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/hardhat/smart-contracts/NextGenCore.sol#L194
Vulnerability details
Impact
Function _mintProcessing() has been used in mint() and airDropTokens() and
both doesn't follow check-effect-interaction pattern and code updates the
values of tokensAirdropPerAddress, tokensMintedAllowlistAddress and
tokensMintedPerAddress variables after making external call by using
safeMint(). This would give attacker opportunity to reenter the Minter
contract logics and perform malicious action while contract storage state
is wrong.
Attacker can perform this action:
[224](https://github.com/code-423n4/2023-10-nextgen/blob/main/hardhat/smart-contracts/MinterContract.sol#L224)
in the case of public phase and line [217](https://github.com/code-423n4/2023-10-nextgen/blob/main/hardhat/smart-contracts/MinterContract.sol#L217)
for the allowList phase - ( Notice this function performs this checks using
the values returned from retrieveTokensMintedALPerAddress and
retrieveTokensMintedALPerAddress)
contract
this crucial varaible on line [194](https://github.com/code-423n4/2023-10-nextgen/blob/main/hardhat/smart-contracts/NextGenCore.sol#L194).
transaction has not yet settled reenter the minting ( Note - bypasses limit
check because neither tokensMintedAllowlistAddress or
tokensMintedPerAddress has been updated ) and mint passed limit.
settle, minting possibly ALL collection's totalSupply
Proof of Concept
This is mint() code in NextGenCore contract:
_mintProcessing:
As you can see code would make external call to onERC721Received() function
of the account address by calling _safeMint() and the code only sets the
values for tokensMintedAllowlistAddress and tokensMintedPerAddress after
this call. so code don't follow check-effect-interaction pattern and it's
possible to perform reentrancy attack. there could be multiple scenarios
that attacker can perform the attack and do damage. e.g:
scenario #1 where attacker bypasses limit and mints possibly ALL
collection's totalSupply (as shown above)
scenario #2 where attacker could execute a read-only reentrancy on the
retrieveTokensAirdroppedPerAddress() function if any integrated art company
rely on it's returned value (as shown [here](https://github.com/code-423n4/2023-10-nextgen/blob/main/hardhat/smart-contracts/NextGenCore.sol#L183))
Tools Used
Visual Studio Code
Recommended Mitigation Steps
follow the check-effect-interaction pattern or add a reentrancy guard.
Assessed type
Reentrancy
The text was updated successfully, but these errors were encountered: