Usage of _safeMint in NextGenCore@_mintProcessing allows an attacker to reenter when onERC721Received is called #2050
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1517
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L227-L232
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L213-L223
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L189-L200
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L236
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L270
Vulnerability details
Impact
An attacker can :
Fixed Price Sale
,Exponential Descending Sale
andLinear Descending Sale
modes.Burn-to-Mint
mode by accepting an offer whenonERC721Received
is triggered.Proof of Concept
Test Setup
Init
forge init --no-git --force
foundry.toml config
Test
Results
Traces
This shows how the token to be burned is transferred to the buyer in the sale simulation then burned afterwards.
Tools Used
Manual review
Recommended Mitigation Steps
Follow the Checks / Effects / Interactions pattern (.e.g update
tokensMintedAllowlistAddress/tokensMintedPerAddress
before calling_mintProcessing
) / add ReentrancyGuard.Assessed type
Reentrancy
The text was updated successfully, but these errors were encountered: