Closed c4-submissions closed 10 months ago
141345 marked the issue as duplicate of #51
141345 marked the issue as duplicate of #1742
alex-ppg marked the issue as not a duplicate
alex-ppg marked the issue as duplicate of #90
alex-ppg marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L213-L223
Vulnerability details
Impact
burnToMint()
function inNextGenCore
contract does not follow the recommended CEI pattern which allows Contract addresses to re-enter using theonERC721Received()
hook and mint arbitrary number of NFTs by burning only a single token.This can lead to a single address accumulating majority of the totalSupply by burning a single mint pass. This can result in financial losses for other users who may have spent funds to acquire such mint pass.
Proof of Concept
Likelihood: High Impact : High contract :
NextGenCore
In NFT projects it is common to sell NFTs that act as mint passes for another upcoming NFT collection.
NextGen protocol uses the
burnToMint()
function to perform a similar operation.But the
burnToMint()
function in theNextGenCore
contract does not follow the Checks-Effects-Interaction pattern which allows a malicious account to burn a single approved NFT to mint arbitrary number of NFTs in the new collection until the total supply of the collection is exhausted.Lets prove this with a case study
Assume NextGen plans to release their main
collection 2
in a month later, but in preparation they want to raise funds by sellingcollection 1
to interested users.NextGen sells a total of 1000 NFTs from
collection 1
for fixed price of 0.1 ether.So that
collection 2
can be minted by burningcollection 1
in 1:1 ratio.Lets say, The demand for collection 2 is very high in the market and each mint pass ( i.e,
collection 1
) is selling for 1 ETH each.Adam = Attacker Adam notices the reentrancy vulnerability present in the
burnToMint()
function. And observes the profitable situation in the market.When the time comes to mint, he attacks the system by minting majority of the
collection 2
NFTs by burning just a single mint pass. He then proceeds to sell all the mintedcollection 2
NFTs in the market making a massive profit.While the rest of the mint pass holders are not able to get their ' guaranteed ' mints as the total supply was already exhausted by Adam.
Step 1
Step 2
Step 3
Step 4
The above PoC shows Adam (attacker) ends up with majority of the
collection 2
NFTs by burning just a singlecollection 1
mintpass.Resulting in
Tools Used
Foundry, Manual Analysis.
Recommended Mitigation Steps
Use a ReEntrancy Guard. Follow CEI pattern. Burn the mint pass NFT before making the external call to mint a new collection.
Assessed type
Reentrancy