Closed captainmangoC4 closed 6 months ago
Issue created on behalf of judge in order to split into 2 findings
alex-ppg marked the issue as duplicate of #572
The submission lacks sufficient quality to be graded as a rewardable duplicate of the periodic-sale re-entrancy attack vector given that it specifies only an "off-chain" impact for the said model.
alex-ppg marked the issue as unsatisfactory: Insufficient proof
alex-ppg marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L220 https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L192-L199
Vulnerability details
Impact
Lack of reentrancy protection and code not follow Checks, Effects, Interactions pattern guideline.
Here are the Effects stuff happen after Interactions affected by reentrancy:
tokensMintedAllowlistAddress
: tracking presale minted NFT per address.tokensMintedPerAddress
: tracking public minted NFT per address.lastMintDate
: tracking last mint auction price, only for off-chain price calculation.collectionTotalAmount
: tracking income, only for off-chain view.burnAmount
: tracking burn NFT, only for off-chain view.Only presale tracking part have anything to do with possible finance damage, because user can bypass presale limit tracked by merkleroot.
The only one hurt by this exploit is NFT project use sale option 3 where price increase for each token mint. If user can bypass presale limit, they can mint at much lower price than other user. It would be unfair to other user who mint at the end of presale, whom might have to pay higher price than other user.
Other case include when presale price is much lower than public sale. This require admin updated price when presale end.
Proof of Concept
All NFT minting go through
_mintProcessing()
function https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L227-L232It call
_safeMint()
which by default have callbackonERC721Received()
. https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/ERC721.sol#L245-L251So anything change after
_mintProcessing()
can be exploited by reentrancy.We only care about this variable
tokensMintedAllowlistAddress
,track token count change for presale user, after_mintProcessing()
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L192-L199As show here this variable is used for get amount of token minted for presale user. https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L404-L406 https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L212-L219
Because presale
mint()
function is called beforetokensMintedAllowlistAddress
is changed, exploiter can simply use the same merkleroot to mint again duringonERC721Received()
callback.Tools Used
manual
Recommended Mitigation Steps
Add reentrancy protection
Assessed type
Reentrancy