Reentrancy in mint causing minter to mint more tokens than allowed #528
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1517
partial-25
Incomplete articulation of vulnerability; eligible for partial credit only (25%)
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/NextGenCore.sol#L197
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/NextGenCore.sol#L195
Vulnerability details
Impact
Because token minted per address is updated after mint, makes a contract to be able to mint more than max allowed times. The minter still needs to pay the price for each token, hence the medium severity.
Proof of Concept
The core contract is using
safeMint
function to make sure receiver has successfully received the token. However, when the receiver is a contract address, a callback ofonERC721Received
function will be called. In this function, the minter can setup another or multiple mint calls to the minter contract, with prices in msg.value, to mint more tokens than max allowed.In this poc, I setup with foundry, and the test case would showcase how the limit can be bypassed.
Tools Used
Manual review, foundry.
Recommended Mitigation Steps
Add reentrance lock as function modifier, or update the tokens minted before mint.
Assessed type
Reentrancy
The text was updated successfully, but these errors were encountered: