search

code-423n4 / 2023-10-nextgen-findings

5 stars 3 forks source link

Users get pay for multiple NFTs and only get 1 minted #1982

Closed c4-submissions closed 10 months ago

c4-submissions commented 10 months ago

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/MinterContract.sol#L196-L197 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/MinterContract.sol#L233

Vulnerability details

Impact

Users get only 1 NFT after paying for multiple or more than one

Proof of Concept

In MinterContract.mint users can mint more than one token and are allowed to pay for the number of tokens minted.

function mint( uint256 _collectionID, uint256 _numberOfTokens, uint256 _maxAllowance, string memory _tokenData, address _mintTo, bytes32[] calldata merkleProof, address _delegator, uint256 _saltfun_o ) public payable { require(setMintingCosts[_collectionID] == true, "Set Minting Costs"); .....

require(msg.value >= (getPrice(col) * _numberOfTokens), "Wrong ETH");

payment for the number of tokens inputed is done here; then mint is called in Nextgencore

 gencore.viewCirSupply(col);
        gencore.mint(
            mintIndex,
            mintingAddress,
            _mintTo,
            tokData,
            _saltfun_o,
            col,
            phase
        );

then in mint the address is updated by adding just one token

{ _mintProcessing( mintIndex, _mintTo, _tokenData, _collectionID, _saltfun_o ); if (phase == 1) { tokensMintedAllowlistAddress[_collectionID][_mintingAddress] = tokensMintedAllowlistAddress[_collectionID][ _mintingAddress ] + 1; } else { tokensMintedPerAddress[_collectionID][_mintingAddress] = tokensMintedPerAddress[_collectionID][_mintingAddress] + 1; } } }

_mintProcessing() is then called which further calls openzeppelin ERC721 _safemint() and in the end only one token is minted and updated but the user could have paid for more than one.

Tools Used

Manual Review

Recommended Mitigation Steps

Get the numberOftokens minted input from the mintercontract and use it when updating the tokensMintedPerAddress in the Nextgencore.

Assessed type

Other

c4-pre-sort commented 10 months ago

141345 marked the issue as insufficient quality report

141345 commented 10 months ago

invalid

mint() in for loop

alex-ppg commented 10 months ago

The Warden specifies that a single mint operation will occur per a batch purchase, however, as the Sponsor states, this is invalid as the mint operations are performed in a loop meaning that sufficient mint operations will be executed per batch purchase.

c4-judge commented 10 months ago

alex-ppg marked the issue as unsatisfactory: Invalid