MinterContract::burnToMint() do not mint any token for the case where current circulationSupply greater than eq to totalSupply, make user pay ETH for nothing. #1959
MinterContract::burnToMint() allows burning and minting a new token in the same function. Every time a new NFT get mint, the minter has to pay a price return by getPrice(_mintCollectionID)(in ETH). The issue is if the circulation supply for that collection exceed the totalSupply in NextgenCore contract. User would end up paying eth for nothing. As no nft minted to the user.
function burnToMint(uint256 mintIndex, uint256 _burnCollectionID, uint256 _tokenId, uint256 _mintCollectionID, uint256 _saltfun_o, address burner) external {
require(msg.sender == minterContract, "Caller is not the Minter Contract");
require(_isApprovedOrOwner(burner, _tokenId), "ERC721: caller is not token owner or approved");
collectionAdditionalData[_mintCollectionID].collectionCirculationSupply = collectionAdditionalData[_mintCollectionID].collectionCirculationSupply + 1;
// @audit below check will failed if circulation supply exceed current totalSupply
if (collectionAdditionalData[_mintCollectionID].collectionTotalSupply >= collectionAdditionalData[_mintCollectionID].collectionCirculationSupply) {
_mintProcessing(mintIndex, ownerOf(_tokenId), tokenData[_tokenId], _mintCollectionID, _saltfun_o);
// burn token
_burn(_tokenId);
burnAmount[_burnCollectionID] = burnAmount[_burnCollectionID] + 1;
}
}
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/NextGenCore.sol#L213-L223
Vulnerability details
Impact
MinterContract::burnToMint() allows burning and minting a new token in the same function. Every time a new NFT get mint, the minter has to pay a price return by
getPrice(_mintCollectionID)
(in ETH). The issue is if the circulation supply for that collection exceed the totalSupply in NextgenCore contract. User would end up paying eth for nothing. As no nft minted to the user.Proof of Concept
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/MinterContract.sol#L270 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/NextGenCore.sol#L217
Tools Used
Manual review
Recommended Mitigation Steps
Add an else block, which revert for the case where totalSupply reached for that collection.
Assessed type
ETH-Transfer