It is possible to brute force salt values to get a desired delegate token ID in the DelegateToken contract.

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-09-delegate/blob/a6dbac8068760ee4fc5bababb57e3fe79e5eeb2e/src/DelegateToken.sol#L300 https://github.com/code-423n4/2023-09-delegate/blob/a6dbac8068760ee4fc5bababb57e3fe79e5eeb2e/src/DelegateToken.sol#L281

Vulnerability details

Impact

• Front-running to mint "special" token IDs (e.g. 1, 420, 9999) for profit
• Impersonate existing high-value NFTs by minting the same token ID
• Manipulate perception of scarcity if able to mint many low token IDs

Proof of Concept

The new delegate token ID is derived only from msg.sender and a salt. It's possible for someone to brute force salt values to get a desired token ID.

It simply hashes the caller address and salt together. This allows an attacker to brute force different salt values until the hash output equals their desired token ID. This allows the attacker to mint any token ID they want.

Tools Used

Manual

Recommended Mitigation Steps

1. Use a more secure method of generating token IDs, like an auto-incrementing counter
2. Add a prefix to the salt instead of just encoding the sender and salt:

Assessed type

Other

[c4-judge]

GalloDaSballo marked the issue as unsatisfactory: Invalid