Minting can be reentered because mint allowance is updated after the mint itself #272
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1517
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L213
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L217
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L224
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L193-L198
Vulnerability details
Impact
Minting is re-entrable because internal accounting is updated after the actual minting is done. If the address that mints is of a contract, it can re-enter in its
onERC721Received
callback and mint as much tokens as it'd like, given it has a sufficient ETH balance to buy the NFTs and that there's also enough sufficient supply of that collection left.After the initial mint transaction when the attacker reenters into
MinterContract#mint()
their tokens minted per public address will not be updated and will return the old balance:Only NFT collections with a Periodic Sale model cannot be taken advantage of because the time difference calculation since last mint underflows if more than 1 NFT is attempted to be minted within 1 transaction/block.
Proof of Concept
In order to run the provided PoC, please first initialize Forge:
forge init --no-git --force
Then in the root directory's
test
folder paste the content of the gist in a new filePOC.t.sol
in the./test
directory and run it usingforge test --match-path ./test/POC.t.sol
.Link to PoC: https://gist.github.com/flackoon/39e2f08a6e9b30a86de607585b6cb1e4
The PoC demonstrates how an honest minter
BOB
is only allowed to mint up tomaxCollectionPurchases
(set to 1 in the test) and on the other side aGreedyNFTReceiver
contract designed to take advantage of the vulnerability can mint as much NFTs as they wish, given they have enough ETH to pay for them & that there's sufficient supply left.Tools Used
Foundry Forge
Recommended Mitigation Steps
Just process mint after internal allowances accounting for minted tokens per address has been done.
Assessed type
Reentrancy
The text was updated successfully, but these errors were encountered: