Closed captainmangoC4 closed 9 months ago
Issue created on behalf of judge in order to split into 2 findings
alex-ppg marked the issue as duplicate of #572
alex-ppg marked the issue as satisfactory
alex-ppg changed the severity to 3 (High Risk)
alex-ppg marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/hardhat/smart-contracts/MinterContract.sol#L196 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/hardhat/smart-contracts/NextGenCore.sol#L231
Vulnerability details
Impact
The reentrancy vulnerability in the
NextGenMinterContract::mint
function allows an attacker to bypass the restriction of minting only one NFT per period. The reentrencies can be achieved from the_safeMint
in the functionNextGenCore::_mintProcessing
to call the functionNextGenMinterContract::mint
again and again. The attacker can also bypass theviewMaxAllowance
check for any sales option. Consequently, an attacker could exploit this to mint many NFTs within a single period and for any max allowance set.This could distrupt the collection supply, and bypass any intended restriction and allowance that was set by the function admin of the
NextGenCore::createCollection
.Proof of Concept
The issue arises because the following parameters do not update after each call. Basically, after reentering,
gencore.retrieveTokensMintedPublicPerAddress(col, msg.sender)
does not update while_numberOfTokens
andgencore.viewMaxAllowance(col)
stay the same.Following the same logic, for the sales Option == 3, the following conditions do not revert because :
_numberOfTokens
stays the same (=1)collectionPhases[col].allowlistStartTime + (collectionPhases[col].timePeriod * (gencore.viewCirSupply(col) - 1))
also stays the same. Since this code will run after the last iteration, the circulating supply will not change (and it will be equal to the number of iteration or reentrencies). As long astDiff>1
, the reentrency will work.POC
You can add this test to the file nextGen.t.sol of our foundry setup in gist C4 nextGen foundry setup. And execute it with the command forge test --mt testCanReenterMintForSaleOption3 -vvvv
Tools Used
Manual review + foundry
Recommended Mitigation Steps
NextGenMinterContract::mint
&&NextGenCore::mint
For the second recommandation you can consider the following changes :
function
NextGenMinterContract::mint
:function
NextGenCore::mint
:Assessed type
Reentrancy