Closed c4-submissions closed 10 months ago
141345 marked the issue as duplicate of #51
141345 marked the issue as duplicate of #1742
alex-ppg marked the issue as satisfactory
alex-ppg marked the issue as partial-50
alex-ppg marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/NextGenCore.sol#L193
Vulnerability details
Impact
A malicious user can re-enter the
MinterContract.mint
function and mint more tokens than the limit of 1 token during each time periodThis issue is outlined in the README as follows:
Vulnerability details
The
MinterContract.mint
function is used by users to mint their tokens.View MinterContract.mint
Within the
NextGenCore.mint
function, the_mintProcessing
function is called.View NextGenCore.mint
Following this, the
ERC721._safeMint
function is invoked, wherein the NFT is minted, and the user's callbackonERC721Received
is triggered.View ERC721._safeMint
Due to the user's callback (
onERC721Received
) called in _checkOnERC721Received, a malicious user can re-enter theMinterContract.mint
function, before thetokensMinterPerAddress
is updated inNextGenCore.mint
View NextGenCore.mint
Allowing them to bypass the maximum limit per address check in
MinterContract.mint
.View MinterContract.mint
This allows the user to mint additional tokens exceeding the max allowance in the public sale.
If the
salesOption
is set to 3, the user should be limited to minting only one token per period. However, due to the reentrancy issue described above, the user is able to mint multiple tokens.The
timePeriod
is set by the admin in setCollectionCosts.Proof of Concept
To execute the POC, you will need to utilize the following
Attacker
contract. Place this contract in smart-contracts/Attacker.sol.Next, insert the following test case into test/nextGen.test.js and execute it using the command
hardhat test ./test/nextGen.test.js --grep 'Mint by period'
Tools Used
Manual Review
Recommended Mitigation Steps
You have two options for addressing the issue:
nonReentrant
modifier to prevent reentrancy.tokensMintedPerAddress
before the_mintProcessing
invocationAssessed type
Reentrancy