Closed c4-submissions closed 7 months ago
141345 marked the issue as primary issue
a2rocket (sponsor) disputed
there are additional checks on the mint function on the Minter Contract.
141345 marked the issue as sufficient quality report
141345 marked the issue as duplicate of #1282
141345 marked the issue as not a duplicate
141345 marked the issue as duplicate of #1282
alex-ppg marked the issue as not a duplicate
alex-ppg marked the issue as duplicate of #1201
alex-ppg changed the severity to QA (Quality Assurance)
alex-ppg marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/MinterContract.sol#L196-L253 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/NextGenCore.sol#L307-L311
Vulnerability details
Impact
It is possible to push the collection total supply past what is set by the owner on creating the collection. Collection total supply accounting is compromised.
Proof of Concept
In
MinterContract.sol
mint()
has the following checks to ensure the amount of minted NFTs remain in the bound set by the creator.The problem is that the NFTs are minted in a for-loop, therefore a malicious user could reenter
mint(...)
through theonERC721Received
hook before the for-loop has iterated over all tokens. In a situation where the minted NFTs in the first for loop will be the last of a collection a malicious user can reenter & artificially pushcollectionAdditionalData[_collectionID].collectionCirculationSupply
since the checks before the for loop will have stale balances &mint(...)
inside theNextGenContract
doesn't revert. It's an artificial inflation since no new NFTs are minted only the circulation supply is updated - seemint(...)
insideNextGenCore
. Later whensetFinalSupply(...)
is called the collection total supply is set to the Circulating Total Supply which is over inflated &collectionTotalSupply
will hold a wrong value. However, whoever extends the count beyond the total supply set by the owner will still have to pay the price per NFT (without receiving one). Whether there is incentive to disrupt the total supply accounting for a given price depends on external circumstances but it is achievable.Tools Used
Manual Inspection
Recommended Mitigation Steps
Perform updates in batches depending on the number of tokens minted. Alternatively, Have the
mint(...)
function in theNextGenContract
revert when total supply is surpassed.Assessed type
Context