It is not clear if the NFT in mintWithAlphaOrBeta() function is to be minted with alphaID and betaID. Given the function name and logic, it appears it should so (no specification/documentation to refer to) but the _mint() call uses the _createVia parameter as-is and not the alphaID and betaID whose calculations are only used for the respective ownership checks within the conditional.
This affects the tracking of NFT creator which could have implications on the perceived authenticity of the NFT and affect prices.
Handle
0xRajeev
Vulnerability details
Impact
It is not clear if the NFT in mintWithAlphaOrBeta() function is to be minted with alphaID and betaID. Given the function name and logic, it appears it should so (no specification/documentation to refer to) but the _mint() call uses the _createVia parameter as-is and not the alphaID and betaID whose calculations are only used for the respective ownership checks within the conditional.
This affects the tracking of NFT creator which could have implications on the perceived authenticity of the NFT and affect prices.
Proof of Concept
https://github.com/code-423n4/2021-04-redacted/blob/2ec4ce8e98374be2048126485ad8ddacc2d36d2f/Beebots.sol#L352-L374
https://github.com/code-423n4/2021-04-redacted/blob/2ec4ce8e98374be2048126485ad8ddacc2d36d2f/Beebots.sol#L362-L364
https://github.com/code-423n4/2021-04-redacted/blob/2ec4ce8e98374be2048126485ad8ddacc2d36d2f/Beebots.sol#L368-L370
https://github.com/code-423n4/2021-04-redacted/blob/2ec4ce8e98374be2048126485ad8ddacc2d36d2f/Beebots.sol#L373
Tools Used
Manual Analysis
Recommended Mitigation Steps
Ensure the correct NFT creatorID: alphaID or betaID is used.