_recipients, _tokenData, _saltfun_o and _numberOfTokens should all have same length in airDropTokens

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L181-L192

Vulnerability details

Impact

No check is being made on the length of the input arrays in the airDropTokens function, meaning the caller could get an unexpected behavior from the airdrop function with no warning in case of mistakes in the inputs.

We mark this vulnerability as MEDIUM as it could alter the good functioning of the NextGenCore contract.

Proof of Concept

Let’s have a closer look at the airDropTokens function below

function airDropTokens(address[] memory _recipients, string[] memory _tokenData, uint256[] memory _saltfun_o, uint256 _collectionID, uint256[] memory _numberOfTokens) public FunctionAdminRequired(this.airDropTokens.selector) {
        require(gencore.retrievewereDataAdded(_collectionID) == true, "Add data");
        uint256 collectionTokenMintIndex;
        for (uint256 y=0; y< _recipients.length; y++) {
            collectionTokenMintIndex = gencore.viewTokensIndexMin(_collectionID) + gencore.viewCirSupply(_collectionID) + _numberOfTokens[y] - 1;
            require(collectionTokenMintIndex <= gencore.viewTokensIndexMax(_collectionID), "No supply");
            for(uint256 i = 0; i < _numberOfTokens[y]; i++) {
                uint256 mintIndex = gencore.viewTokensIndexMin(_collectionID) + gencore.viewCirSupply(_collectionID);
                gencore.airDropTokens(mintIndex, _recipients[y], _tokenData[y], _saltfun_o[y], _collectionID);
            }
        }
    }

If a function admin calls this function with three arrays as input with, for example, _recipients.length == 3, _tokenData.length == 4, _saltfun_o.length == 4 and _numberOfTokens.length == 4 (this could mean the admin wanted to airdrop to 4 recipients but forgot one of the values in the _recipients array).
In that case, the function will go through fine, airdropping for the 3 recipients given in the _recipients array.

As the function will not revert in that case, the admin could think that he successfully airdropped for 4 recipients when in fact only 3 received the airdrop.

This is easily fixed so should be prevented.

Tools Used

Manual Review / Visual Studio

Recommended Mitigation Steps

Add a require statement to the airDropTokens function to avoid this situation.

The airDropTokens function could then look like this:

 function airDropTokens(address[] memory _recipients, string[] memory _tokenData, uint256[] memory _saltfun_o, uint256 _collectionID, uint256[] memory _numberOfTokens) public FunctionAdminRequired(this.airDropTokens.selector) {
        require((_recipients.length == _tokenData.length) && (_recipients._saltfun_o == _tokenData.length) && (_recipients._saltfun_o == _numberOfTokens.length), “wrong inputs”);
        require(gencore.retrievewereDataAdded(_collectionID) == true, "Add data");
        uint256 collectionTokenMintIndex;
        for (uint256 y=0; y< _recipients.length; y++) {
            collectionTokenMintIndex = gencore.viewTokensIndexMin(_collectionID) + gencore.viewCirSupply(_collectionID) + _numberOfTokens[y] - 1;
            require(collectionTokenMintIndex <= gencore.viewTokensIndexMax(_collectionID), "No supply");
            for(uint256 i = 0; i < _numberOfTokens[y]; i++) {
                uint256 mintIndex = gencore.viewTokensIndexMin(_collectionID) + gencore.viewCirSupply(_collectionID);
                gencore.airDropTokens(mintIndex, _recipients[y], _tokenData[y], _saltfun_o[y], _collectionID);
            }
        }
 }

meaning the call will revert if inputs are wrong.

Assessed type

Invalid Validation

[c4-pre-sort]

141345 marked the issue as duplicate of #478

[c4-judge]

alex-ppg marked the issue as not a duplicate

[c4-judge]

alex-ppg marked the issue as duplicate of #1384

[c4-judge]

alex-ppg marked the issue as unsatisfactory:
Out of scope