Use safeMint instead of mint for ERC721

[hats-bug-reporter[bot]]

Github username: -- Submission hash (on-chain): 0xa7afc93b3a1b0093a1eb1a82b6da7c32a9774a8584cca34926392590ce9251fb Severity: medium

Description: Description\

Use safeMint instead of mint for ERC721

Attack Scenario\

The to will be minted NFT when _mintBoost() is called.

However, if to is a contract address that does not support ERC721, the NFT can be frozen in the contract.

As per the documentation of EIP-721:

A wallet/broker/auction application MUST implement the wallet interface if it will accept safe transfers.

Ref: https://eips.ethereum.org/EIPS/eip-721

As per the documentation of ERC721.sol by Openzeppelin

Ref: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC721/ERC721.sol#L274-L285

// file: src\static\stake\HoprBoost.sol
  function _mintBoost(
    address to,
    uint256 boostNumerator,
    uint256 redeemDeadline,
    uint256 boostTypeIndex,
    string memory _tokenURI
  ) private {
    // create token
    uint256 tokenId = totalSupply();
    _mint(to, tokenId);
    // save boost factor numerator
    _boostNumerator[tokenId] = boostNumerator;
    // save redeem deadline
    _redeemDeadline[tokenId] = redeemDeadline;
    // save boost type id
    _boostTypeIndexOfId[tokenId] = boostTypeIndex;
    // save tokenURI
    _setTokenURI(tokenId, _tokenURI);
  }

Attachments

1. Proof of Concept (PoC) File

to is a contract address that does not support ERC721

2. Revised Code File (Optional)

Use safeMint instead of mint to check received address support for ERC721 implementation.

https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/token/ERC721/ERC721.sol#L262

[QYuQianchen]

As stated in the contest rules, contracts in "static" folders are out of scope.