code-423n4 / 2022-08-foundation-findings

0 stars 0 forks source link

NFT Creator can rug the project by calling self destruct on NFT #235

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-08-foundation/blob/792e00df429b0df9ee5d909a0a5a6e72bd07cf79/contracts/NFTCollection.sol#L230

Vulnerability details

Impact

In NFTCollection Contract

We have

  /**
   * @notice Allows the collection creator to destroy this contract only if
   * no NFTs have been minted yet or the minted NFTs have been burned.
   * @dev Once destructed, a new collection could be deployed to this address (although that's discouraged).
   */
  function selfDestruct() external onlyCreator {
    _selfDestruct();
  }

the creator can rug the project by calling selfDestruct

Proof of Concept

A malicous creator can deploy the project then maliciously destroy the contract to invalidate the nft.

Tools Used

Recommended Mitigation Steps

remove the self destruct functionality.

HardlyDifficult commented 2 years ago

Invalid -- yes self destruct is supported, but only when the totalSupply is 0, so there's no users which were rugged.