Closed c4-submissions closed 6 months ago
141345 marked the issue as duplicate of #478
alex-ppg marked the issue as not a duplicate
The Warden has specified valid misbehavior in the system whereby the final supply of a collection can be set by the function's administrator before the collection's data has ever been added by the collection's administrator.
This is a configurational mistake that is highly unlikely to happen, so I will mark this as a valid QA.
alex-ppg changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L307-L311
Vulnerability details
Description
setFinalSupply
allows setting thecollectionTotalSupply
of a non-existent_collectionId
. If that happens,setCollectionData
can't set the booleanwereDataAdded[_collectionId]
for a collection, which makes several critical functions that checks that boolean to be forever not callable in the collection.Proof of Concept
Admin unconsciously calls
setFinalSupply
for a non-existent_collectionId
:It requires that
block.timestamp > collectionPhases[_collectionID].publicEndTime + collectionAdditionalData[_collectionID].setFinalSupplyTimeAfterMint
. For a non-existent_collectionId
, these values are zero as default, so the check is effectivelyblock.timestamp > 0
, which is always true.In the future, when this
_collectionId
will be used,setCollectionData
is called to set collection's importants metadatas. However, the only path to setwereDataAdded[_collectionId] = true
is ifcollectionTotalSupply
is zero:As a consequence, all the functions that checks
wereDataAdded[_collectionId]
, including the one that sets minting price, are forever not callable for that_collectionId
. They're critical, so the collection_collectionId
is not usable anymore. Here are some of the functions (setCollectionCosts
,airDropTokens
,mintAndAuction
):