The unlock method does not set 'remainder' to 0, which might allow users to mint NFTs with assets less than nftCost.
Desc
When the lock method calculates the locked assets, it saves the assets that are less than nftCost into the 'remain' variable. In the next call to the lock method, 'remain' is added to the quantity. However, there is a bug in the unlock method (see: https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/LockManager.sol#L401-L416). The unlock method does not set 'remain' to 0, which means that after a user has unlocked and transferred all assets, the 'remain' variable is not zero. This allows the next lock to mint an NFT with assets less than nftCost
Lines of code
https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/LockManager.sol#L401-L416
Vulnerability details
Impact
The unlock method does not set 'remainder' to 0, which might allow users to mint NFTs with assets less than nftCost.
Desc
When the lock method calculates the locked assets, it saves the assets that are less than nftCost into the 'remain' variable. In the next call to the lock method, 'remain' is added to the quantity. However, there is a bug in the unlock method (see: https://github.com/code-423n4/2024-05-munchables/blob/main/src/managers/LockManager.sol#L401-L416). The unlock method does not set 'remain' to 0, which means that after a user has unlocked and transferred all assets, the 'remain' variable is not zero. This allows the next lock to mint an NFT with assets less than nftCost
Proof of Concept
Test command: pnpm test
user can get 1 nft through lock 1eth < nftCost
Tools Used
Manual Review
Recommended Mitigation Steps
In LockManager.sol unlock method, set the lockedToken.remainder = 0;
Assessed type
Error