In NFTDriver.sol the safeMint() function have Reentrancy vulnerability. When writing or interacting with callback functions in solidity, it's important to ensure that they can't be used to perform unexpected effects. _safeMint is a callback function, the recipient contract may define any arbitrary logic to be executed, including reenterring the initial mint function, thereby bypassing limits defined in the contract code.
Proof of Concept
79: function safeMint(address to, UserMetadata[] calldata userMetadata)
public
whenNotPaused
returns (uint256 tokenId)
{
tokenId = _registerTokenId();
_safeMint(to, tokenId);
if (userMetadata.length > 0) dripsHub.emitUserMetadata(tokenId, userMetadata);
}
Lines of code
https://github.com/code-423n4/2023-01-drips/blob/main/src/NFTDriver.sol#L79
Vulnerability details
Impact
In
NFTDriver.sol
thesafeMint()
function have Reentrancy vulnerability. When writing or interacting with callback functions in solidity, it's important to ensure that they can't be used to perform unexpected effects._safeMint
is a callback function, the recipient contract may define any arbitrary logic to be executed, including reenterring the initial mint function, thereby bypassing limits defined in the contract code.Proof of Concept
Tools Used
Manual Review
Recommended Mitigation Steps
Add
nonReentrant
modifier tosafeMint()
function.