The maximum allowance limitation can be bypassed by reentrancy to the mint
function
#691
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1517
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L193-L198
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L231
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/ERC721.sol#L237-L251
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/ERC721.sol#L400-L422
Vulnerability details
Impact
The minting process utilizes the
_safeMint
function, which calls theonERC721Received
callback function on the recipient during the transfer if the recipient is a contract.At this moment, an attacker is able to re-enter the
mint
function.The number of tokens minted by a user is updated after minting.
Therefore, an attacker can bypass the maximum allowance limitation and mint an arbitrary number of tokens.
Proof of Concept
To test the POC, first initialize a foundry project. In the repository's root folder, execute the following commands:
Next, add the
POC.t.sol
file to thetest
folder.Run tests using:
forge test
Tools Used
Manual review
Recommended Mitigation Steps
Follow the Checks-Effects-Interactions pattern, ensure that all contract state changes are made before external interactions or implement reentrancy guard modifiers.
Assessed type
Reentrancy
The text was updated successfully, but these errors were encountered: