Reentrancy attack on minter contract enables users to purchase more NFTs than max purchasable number both in allowlist/public periods. #902
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-1517
partial-50
Incomplete articulation of vulnerability; eligible for partial credit only (50%)
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/MinterContract.sol#L196
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/NextGenCore.sol#L193-L198
Vulnerability details
Description
ERC721
contract derived byNextGenCore
supportsIERC721Receiver
feature that callsonERC721Received
function ifmsg.sender
is a contract.This includes a vulnerability for malicious smart contracts override this function and try re-entrancy attacks to mint more NFTs than they are allowed to mint.
Proof of Concept
Here's a test case written in foundry that shows re-entrancy attack to mint more NFTs and the max allowed number.
Result of the test:
Tools Used
Manual Review, Foundry
Recommended Mitigation Steps
Use
nonReentrant
modifier for mint function to prevent re-entrancy attacks.Also here's some more suggestions:
In
mint
andairDropTokens
functions ofNextGenCore
contract, update states liketokensMintedPerAddress
before actually minting/airdropping an NFT.Assessed type
Reentrancy
The text was updated successfully, but these errors were encountered: