`burnToMint` and `burnOrSwapExternalToMint` allows bypass of periodic sales timer.

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L258-L272 https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L326-L365

Vulnerability details

Description

Sales Mode 3 is when the contract allows only one mint per period of time. However, burnToMint and burnOrSwapExternalToMint allows an user to bypass this restriction, since these functions don't have periodic sales check. This can be a problem since these sales mode collection tend to have higher prices, since the circulation supply will be lower.

Proof of Concept

1. These functions don't have any periodic sales checks:

   function burnToMint(uint256 _burnCollectionID, uint256 _tokenId, uint256 _mintCollectionID, uint256 _saltfun_o) public payable {
       require(burnToMintCollections[_burnCollectionID][_mintCollectionID] == true, "Initialize burn");
       require(block.timestamp >= collectionPhases[_mintCollectionID].publicStartTime && block.timestamp<=collectionPhases[_mintCollectionID].publicEndTime,"No minting");
       require ((_tokenId >= gencore.viewTokensIndexMin(_burnCollectionID)) && (_tokenId <= gencore.viewTokensIndexMax(_burnCollectionID)), "col/token id error");
       // minting new token
       uint256 collectionTokenMintIndex;
       collectionTokenMintIndex = gencore.viewTokensIndexMin(_mintCollectionID) + gencore.viewCirSupply(_mintCollectionID);
       require(collectionTokenMintIndex <= gencore.viewTokensIndexMax(_mintCollectionID), "No supply");
       require(msg.value >= getPrice(_mintCollectionID), "Wrong ETH");
       uint256 mintIndex = gencore.viewTokensIndexMin(_mintCollectionID) + gencore.viewCirSupply(_mintCollectionID);
       // burn and mint token
       address burner = msg.sender;
       gencore.burnToMint(mintIndex, _burnCollectionID, _tokenId, _mintCollectionID, _saltfun_o, burner);
       collectionTotalAmount[_mintCollectionID] = collectionTotalAmount[_mintCollectionID] + msg.value;
   }
   
   function burnOrSwapExternalToMint(address _erc721Collection, uint256 _burnCollectionID, uint256 _tokenId, uint256 _mintCollectionID, string memory _tokenData, bytes32[] calldata merkleProof, uint256 _saltfun_o) public payable {
       bytes32 externalCol = keccak256(abi.encodePacked(_erc721Collection,_burnCollectionID));
       require(burnExternalToMintCollections[externalCol][_mintCollectionID] == true, "Initialize external burn");
       require(setMintingCosts[_mintCollectionID] == true, "Set Minting Costs");
       address ownerOfToken = IERC721(_erc721Collection).ownerOf(_tokenId);
       if (msg.sender != ownerOfToken) {
           bool isAllowedToMint;
           isAllowedToMint = dmc.retrieveGlobalStatusOfDelegation(ownerOfToken, 0x8888888888888888888888888888888888888888, msg.sender, 1) || dmc.retrieveGlobalStatusOfDelegation(ownerOfToken, 0x8888888888888888888888888888888888888888, msg.sender, 2);
           if (isAllowedToMint == false) {
           isAllowedToMint = dmc.retrieveGlobalStatusOfDelegation(ownerOfToken, _erc721Collection, msg.sender, 1) || dmc.retrieveGlobalStatusOfDelegation(ownerOfToken, _erc721Collection, msg.sender, 2);    
           }
           require(isAllowedToMint == true, "No delegation");
       }
       require(_tokenId >= burnOrSwapIds[externalCol][0] && _tokenId <= burnOrSwapIds[externalCol][1], "Token id does not match");
       IERC721(_erc721Collection).safeTransferFrom(ownerOfToken, burnOrSwapAddress[externalCol], _tokenId);
       uint256 col = _mintCollectionID;
       address mintingAddress;
       uint256 phase;
       string memory tokData = _tokenData;
       if (block.timestamp >= collectionPhases[col].allowlistStartTime && block.timestamp <= collectionPhases[col].allowlistEndTime) {
           phase = 1;
           bytes32 node;
           node = keccak256(abi.encodePacked(_tokenId, tokData));
           mintingAddress = ownerOfToken;
           require(MerkleProof.verifyCalldata(merkleProof, collectionPhases[col].merkleRoot, node), 'invalid proof');            
       } else if (block.timestamp >= collectionPhases[col].publicStartTime && block.timestamp <= collectionPhases[col].publicEndTime) {
           phase = 2;
           mintingAddress = ownerOfToken;
           tokData = '"public"';
       } else {
           revert("No minting");
       }
       uint256 collectionTokenMintIndex;
       collectionTokenMintIndex = gencore.viewTokensIndexMin(col) + gencore.viewCirSupply(col);
       require(collectionTokenMintIndex <= gencore.viewTokensIndexMax(col), "No supply");
       require(msg.value >= (getPrice(col) * 1), "Wrong ETH");
       uint256 mintIndex = gencore.viewTokensIndexMin(col) + gencore.viewCirSupply(col);
       gencore.mint(mintIndex, mintingAddress, ownerOfToken, tokData, _saltfun_o, col, phase);
       collectionTotalAmount[col] = collectionTotalAmount[col] + msg.value;
   }

2. So, an user can burnToMint to mint more nft's that are allowed per period of time, which allows him to utilize the higher prices that collections with lower circulation supply has .

Impact

Allows a user to bypass periodic minting, which allows him to enjoy the better prices of new collection that has a low circulation supply.

1. Likelihood: High. The variables that enable burnToMint and burnOrSwapExternalToMint needs to be set.
2. Impact: Low. Users that uses burnToMint can mint more tokens than unaware users or users that don't have tokens from others collections to burn.
   • Risk: Medium (High Likelihood + Low Impact)

Tools Used

Manual Review

Recommended Mitigation Steps

Add the sales option 3 checks.

Assessed type

Invalid Validation

[c4-pre-sort]

141345 marked the issue as duplicate of #1189

[c4-pre-sort]

141345 marked the issue as duplicate of #1763

[c4-pre-sort]

141345 marked the issue as not a duplicate

[c4-pre-sort]

141345 marked the issue as duplicate of #383

[c4-judge]

alex-ppg marked the issue as unsatisfactory: Invalid