Consider a RCFactory contract where the card limit is set to the default 100. A market creator intending to setup a market will call the RCFactory.createMarket() function with the relevant inputs. One of these inputs, namely _tokenURIs, is used to store the location of NFT metadata for the original and copy NFTs. The checks to ensure a valid _tokenURIs simply divides the array by 2. For odd length inputs, the array is truncated. As a result, it is possible to set 1 more _tokenURI than cardLimit * 2 and have this result stored in the tokenURIs variable.
Splidge
commented
3 years ago
Handle
leastwood
Vulnerability details
Impact
Consider a
RCFactorycontract where the card limit is set to the default100. A market creator intending to setup a market will call theRCFactory.createMarket()function with the relevant inputs. One of these inputs, namely_tokenURIs, is used to store the location of NFT metadata for the original and copy NFTs. The checks to ensure a valid_tokenURIssimply divides the array by 2. For odd length inputs, the array is truncated. As a result, it is possible to set 1 more_tokenURIthancardLimit * 2and have this result stored in thetokenURIsvariable.Proof of Concept
https://github.com/code-423n4/2021-08-realitycards/blob/main/contracts/RCFactory.sol#L636-L767
Tools Used
Manual code review
Recommended Mitigation Steps
Ensure the
_tokenURIsinput to the functionRCFactory.createMarket()is not of odd length.