There is no limit of the length of properties in addProperties of MetadataRenderer.sol. So it is possible to add more than 15 properties via voting.
In this case onMinted will be reverted because it uses index 16 of array tokenAttributes whose length is 16. As a result, mint and auction will fail.
If item count of a property is 0 after addProperties, onMinted will also fail again. So another validation is needed.
Recommended Mitigation Steps
Validate the length of properties and item count for each property.
GalloDaSballo
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-09-nouns-builder/blob/7e9fddbbacdd7d7812e912a369cfd862ee67dc03/src/token/metadata/MetadataRenderer.sol#L179-L199
Vulnerability details
Impact
There is no limit of the length of properties in
addPropertiesofMetadataRenderer.sol. So it is possible to add more than 15 properties via voting. In this caseonMintedwill be reverted because it uses index 16 of array tokenAttributes whose length is 16. As a result, mint and auction will fail.If item count of a property is 0 after
addProperties,onMintedwill also fail again. So another validation is needed.Recommended Mitigation Steps
Validate the length of properties and item count for each property.