Open howlbot-integration[bot] opened 3 months ago
koolexcrypto marked the issue as satisfactory
koolexcrypto marked the issue as selected for report
koolexcrypto changed the severity to 2 (Med Risk)
koolexcrypto changed the severity to 3 (High Risk)
koolexcrypto changed the severity to 2 (Med Risk)
koolexcrypto changed the severity to 3 (High Risk)
@koolexcrypto thanks for the swift judging! I have the same finding in my QA report #32 L-01, I guess it has been missed. Can you please make it a duplicate of this issue? Thanks for your time!
Lines of code
https://github.com/code-423n4/2024-07-traitforge/blob/main/contracts/TraitForgeNft/TraitForgeNft.sol#L215
Vulnerability details
https://github.com/code-423n4/2024-07-traitforge/blob/main/contracts/TraitForgeNft/TraitForgeNft.sol#L215
Summary
TraitForgeNft::mintWithBudget
function is similar tomintToken
, but allows users to mint multiple tokens in a single transaction if they have a budget exceeding the minting price for one token. However,_tokenIds
tracks the total number of tokens ever minted, not just the tokens in the current generation.Impact
In the current implementation,
_tokenIds
is used to control the minting process. The check while(budgetLeft >= mintPrice && _tokenIds < maxTokensPerGen)
ensures that minting will stop when current generation minted tokens reachesmaxTokensPerGen
. Instead of checking the number of tokens minted in the current generation, the function incorrectly checks the total number of tokens minted across all generations (_tokenIds
).Proof of Concept
Here is the current implementation of the
mintWithBudget
function in the smart contract on line 215:The function will not allow minting if
_tokenIds
is greater than10,000
which will happen after the 1st generation is fully minted.Tools Used
Manual Review
Recommended Mitigation Steps
Use
generationMintCounts[currentGeneration]
instead of_tokenIds
.Assessed type
Invalid Validation