search

code-423n4 / 2023-10-nextgen-findings

5 stars 3 forks source link

Cross-Contract Reentrancy can occur during burnToMint #2022

Closed c4-submissions closed 7 months ago

c4-submissions commented 7 months ago

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L218-L220

Vulnerability details

Impact

Cross Contract re-entrancy can occur due to not following CEI

Proof of Concept

  1. Attacker can call burnToMint(), with any of the tokenId he owns!
  2. This calls the burnToMint in GenCore, which mints the the new token from the to be minted collection.

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L218-L220

_mintProcessing(mintIndex, ownerOf(_tokenId), tokenData[_tokenId], _mintCollectionID, _saltfun_o);
// burn token
_burn(_tokenId);
  1. The issue that the protocol is minting the newToken and calling the receiver, without first burning the tokens. This allows the attacker to sell the tokens if it had liquidity and the token will get burned in the same transaction leading to the party who received token at the loss.

Tools Used

Recommended Mitigation Steps

Tokens should be burned before minting and calling the receiver contract, this follows the safe pattern

// burn token
_burn(_tokenId);  
_mintProcessing(mintIndex, ownerOf(_tokenId), tokenData[_tokenId], _mintCollectionID, _saltfun_o);

Assessed type

Reentrancy

c4-pre-sort commented 7 months ago

141345 marked the issue as duplicate of #1198

c4-pre-sort commented 7 months ago

141345 marked the issue as duplicate of #1597

c4-pre-sort commented 7 months ago

141345 marked the issue as duplicate of #1742

c4-judge commented 7 months ago

alex-ppg marked the issue as not a duplicate

c4-judge commented 7 months ago

alex-ppg marked the issue as duplicate of #1597

c4-judge commented 7 months ago

alex-ppg changed the severity to 2 (Med Risk)

c4-judge commented 6 months ago

alex-ppg marked the issue as partial-50