Open code423n4 opened 1 year ago
thereksfour changed the severity to QA (Quality Assurance)
thereksfour marked the issue as grade-a
TutaRicky marked the issue as sponsor disputed
We are aware of this, but we dispute validity because of gas and potential reentrancy (and because EOA from the frontend will mostly use lottery).
Lines of code
https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Ticket.sol#L23-L27
Vulnerability details
Lottery tickets are represented by NFTs using the
ERC721
standard. When tickets are bought, the protocol will mint the corresponding NFT to the caller using the_mint
internal call to the OpenZeppelin implementation. This function doesn't implement the check to ensure the caller is able to handle ERC721 NFTs in case it is a contract.https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Ticket.sol#L23-L27
Impact
Contracts that interact with the protocol and purchase tickets will likely result in the loss of tickets if the caller contract is unaware of the NFT transfer and fails to implement proper support to handle them.
Recommendation
Use
_safeMint
when minting tickets: