search

code-423n4 / 2023-10-nextgen-findings

5 stars 3 forks source link

User can mint more tokens than is allowed #1961

Closed c4-submissions closed 10 months ago

c4-submissions commented 10 months ago

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L218

Vulnerability details

Impact

Every user is allowed to mint a maximum of maxCollectionPurchases tokens. This can be easily bypassed if the user firstly calls the burnToMint() function and then mint().

When the burnToMint() function is called, a token from one collection is burned and a new token from a new collection is minted if the collection is in the phase of public minting. So, if maxCollectionPurchases = 20 for the new collection and the user firstly calls burnToMint(), after that calls mint() 20 times, he will have 21 tokens, but the maximum required will be 20. This is possible because there is a missed increment of tokensMintedPerAddress in the burnToMint function.

Recommended Mitigation Steps

Make the following changes:

 function burnToMint(uint256 mintIndex, uint256 _burnCollectionID, uint256 _tokenId, uint256 _mintCollectionID, uint256 _saltfun_o, address burner) external {
        require(msg.sender == minterContract, "Caller is not the Minter Contract");
        require(_isApprovedOrOwner(burner, _tokenId), "ERC721: caller is not token owner or approved");
        collectionAdditionalData[_mintCollectionID].collectionCirculationSupply = collectionAdditionalData[_mintCollectionID].collectionCirculationSupply + 1;
        if (collectionAdditionalData[_mintCollectionID].collectionTotalSupply >= collectionAdditionalData[_mintCollectionID].collectionCirculationSupply) {
            _mintProcessing(mintIndex, ownerOf(_tokenId), tokenData[_tokenId], _mintCollectionID, _saltfun_o);
+           tokensMintedPerAddress[_mintCollectionID][ownerOf(_tokenId)] = tokensMintedPerAddress[_mintCollectionID][ownerOf(_tokenId)] + 1;
            // burn token
            _burn(_tokenId);
            burnAmount[_burnCollectionID] = burnAmount[_burnCollectionID] + 1;
        }
    }

Assessed type

Other

c4-pre-sort commented 10 months ago

141345 marked the issue as duplicate of #1198

c4-pre-sort commented 10 months ago

141345 marked the issue as duplicate of #1597

c4-pre-sort commented 10 months ago

141345 marked the issue as not a duplicate

c4-pre-sort commented 10 months ago

141345 marked the issue as duplicate of #1763

c4-judge commented 10 months ago

alex-ppg changed the severity to QA (Quality Assurance)

c4-judge commented 10 months ago

alex-ppg marked the issue as grade-c