During the code review, It has been seen that merged tokenIds burned but position is not deleted from array mapping.
Proof of Concept
Navigate to the following function.
function merge(uint256[] memory tokenIds_, address destination_) external returns (uint256 tokenId_) {
uint256 count = tokenIds_.length;
require(count > uint256(1), "MIN_2_TO_MERGE");
uint256 points;
// For each NFT, check that it belongs to the caller, burn it, and accumulate the points.
for (uint256 i; i < count; ++i) {
uint256 tokenId = tokenIds_[i];
require(ownerOf(tokenId) == msg.sender, "NOT_OWNER");
require(positionOf[tokenId].expiry == uint32(0), "POSITION_NOT_UNLOCKED");
_burn(tokenId);
points += _getPointsFromTokenId(tokenId);
}
// Mine a new NFT to the destinations, based on the accumulated points.
_safeMint(destination_, tokenId_ = _generateNewTokenId(points));
}
However, the position has not been deleted.
delete positionOf[tokenId_];
Tools Used
None
Recommended Mitigation Steps
Consider to review merge function behaviour and consider to re-generate position for the new token.
Handle
defsec
Vulnerability details
Impact
During the code review, It has been seen that merged tokenIds burned but position is not deleted from array mapping.
Proof of Concept
Tools Used
None
Recommended Mitigation Steps
Consider to review merge function behaviour and consider to re-generate position for the new token.