Closed howlbot-integration[bot] closed 2 months ago
koolexcrypto marked the issue as satisfactory
koolexcrypto changed the severity to 3 (High Risk)
koolexcrypto marked the issue as duplicate of #656
koolexcrypto changed the severity to 2 (Med Risk)
Lines of code
https://github.com/code-423n4/2024-07-traitforge/blob/279b2887e3d38bc219a05d332cbcb0655b2dc644/contracts/TraitForgeNft/TraitForgeNft.sol#L293 https://github.com/code-423n4/2024-07-traitforge/blob/279b2887e3d38bc219a05d332cbcb0655b2dc644/contracts/TraitForgeNft/TraitForgeNft.sol#L328 https://github.com/code-423n4/2024-07-traitforge/blob/279b2887e3d38bc219a05d332cbcb0655b2dc644/contracts/TraitForgeNft/TraitForgeNft.sol#L288 https://github.com/code-423n4/2024-07-traitforge/blob/279b2887e3d38bc219a05d332cbcb0655b2dc644/contracts/EntropyGenerator/EntropyGenerator.sol#L101-L120 https://github.com/code-423n4/2024-07-traitforge/blob/279b2887e3d38bc219a05d332cbcb0655b2dc644/contracts/TraitForgeNft/TraitForgeNft.sol#L176
Vulnerability details
Bug Description
As confirmed by the docs and the protocol sponsor, there should be 1 'Golden God' entropy/token per generation. However this is unlikely to be the case due to forging.
After the generation has incremented, forges to the current generation and 'standard' mints both contribute towards the total tokens minted in the current generation. This is because
TraitForgeNft::_mintInternal()
andTraitForgeNft::_mintNewEntity()
both increment thegenerationMintCounts
mapping variable.However,
TraitForgeNft::_mintInternal()
fetches the entropy from the newly minted token via theEntropyGenerator::getNextEntropy()
call andTraitForgeNft::_mintNewEntity()
recieves the entropy of the newly minted token as calculated in the 'TraitForgeNft::forge()' function.The important difference between the entropy retrieval between the above two types of minting is
_mintInternal()
increments theEntropyGenerator::currentSlotIndex
andEntropyGenerator::currentNumberIndex
state variables whilst_mintNewEntity()
does not. The result is the 'forges' contribute to exceeding thegenerationMintCounts
, whilst not incrementing the entropy indicies, so it is possible a whole generation gets minted without reaching the 'Golden God' entropy index.Imagine the following scenario which will also be demonstrated below with a POC:
TraitForgeNft::currentGeneration()
to 2entropyGenerator.initializeAlphaIndices()
initializes the indicies such that the 'Golden God' will be minted at slot 769, index 3.TraitForgeNft::_mintNewEntity()
method.TraitForgeNft::_mintInternal()
, the generation increments to 3.Impact
Note this has the same impact as another issue I submitted, however both issues have distinct root causes.
Proof of Concept
The test
test_POC_NoGoldenGodEntropyDueToForging()
does the following:Please note this is a foundry test and the repo must be setup as a foundry project before running.
Before running the tests, make the below changes to the
EntropyGenerator
contract (to allow generation increments):Paste the below code into a new file in the
test
folder.Tools Used
Manual Review
Recommended Mitigation Steps
One solution is to increment the
EntropyGenerator::currentSlotIndex
andEntropyGeneratior::currentNumberIndex
parameters when a token is minted due to forging. In addition, if the forged token is on the current generations's 'alpha indicies' (slotIndexSelectionPoint
,numberIndexSelectionPoint
) set the entropy for this token to 999,999.Assessed type
Other