Minters can bypass the limitPerAccount and mint as many token as they want during a drop sale.
Vulnerability Details
In mintFromFixedPriceSale, there is a check to ensure that an address can only mint as any token as determined in limitPerAccount:
NFTDropMarketFixedPriceSale.sol#L182-L189
// Confirm that the buyer will not exceed the limit specified after minting.
if (IERC721(nftContract).balanceOf(msg.sender) + count > saleConfig.limitPerAccount) {
...
revert NFTDropMarketFixedPriceSale_Cannot_Buy_More_Than_Limit(saleConfig.limitPerAccount);
}
However, the contract only checks the current balance of the buyer. Therefore, a buyer can transfer their newly minted token to bypass the check, and mint another batch of tokens. This is especially bad in airdrop-style drops with 0 price, as a single malicious user can potentially mint out the whole collection.
Proof of Concept
Alice calls createFixedPriceSale to start the sale for her NFTDropCollection with 1 as the limitPerAccount.
Bob mints 1 token, and immediately transfers the token to another address.
Bob can now mint again and repeat the previous step indefinitely until supply runs out.
Recommended Mitigation Steps
It is impossible to enforce a minting limit on a free-for-all sale without resorting to some sort of allowlists/snapshots. In the short term, we can make it more difficult to exploit by:
Storing the mint amount of each address and check it instead of balanceOf, preventing users from reusing the same address to mint, and
Adding a check to disallow smart contract minter. This would prevent a malicious user from minting a lot of tokens in one transaction via smart contract.
HardlyDifficult
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-08-foundation/blob/792e00df429b0df9ee5d909a0a5a6e72bd07cf79/contracts/mixins/nftDropMarket/NFTDropMarketFixedPriceSale.sol#L183 https://github.com/code-423n4/2022-08-foundation/blob/792e00df429b0df9ee5d909a0a5a6e72bd07cf79/contracts/mixins/nftDropMarket/NFTDropMarketFixedPriceSale.sol#L239-L240
Vulnerability details
Impact
Minters can bypass the
limitPerAccountand mint as many token as they want during a drop sale.Vulnerability Details
In
mintFromFixedPriceSale, there is a check to ensure that an address can only mint as any token as determined inlimitPerAccount: NFTDropMarketFixedPriceSale.sol#L182-L189However, the contract only checks the current balance of the buyer. Therefore, a buyer can transfer their newly minted token to bypass the check, and mint another batch of tokens. This is especially bad in airdrop-style drops with
0price, as a single malicious user can potentially mint out the whole collection.Proof of Concept
createFixedPriceSaleto start the sale for herNFTDropCollectionwith 1 as thelimitPerAccount.Recommended Mitigation Steps
It is impossible to enforce a minting limit on a free-for-all sale without resorting to some sort of allowlists/snapshots. In the short term, we can make it more difficult to exploit by:
balanceOf, preventing users from reusing the same address to mint, and