Minting can be easily sybilled by calling from multiple addresses
Summary
During the public mint phase, the Infiltration contract enforces that one address should not be able to mint more than MAX_MINT_PER_ADDRESS tokens. However it is easy to circumvent this limitation by creating multiple contracts calling the mint function in one single transaction and mint an arbitrary amount of tokens.
However a malicious participant Alice could set up a contract to call the mint function from different child contracts. This would allow Alice to gain a significant advantage over other participants, since as one can see in the other issues reported:
Weak randomness in _woundRequestFulfilled can be slightly manipulated
A participant with enough active agents can force win for his wounded agents
A participant with enough agents can force win while some opponents' agents are healing
Having more agents can be used to influence the game outcome especially in the later stages.
Impact
A participant can buy an arbitrarily large amount of tokens and influence the game outcome
cergyk
medium
Minting can be easily sybilled by calling from multiple addresses
Summary
During the public mint phase, the Infiltration contract enforces that one address should not be able to mint more than
MAX_MINT_PER_ADDRESStokens. However it is easy to circumvent this limitation by creating multiple contracts calling the mint function in one single transaction and mint an arbitrary amount of tokens.Vulnerability Detail
We can see in the public mint function, that a limitation is enforced for the
MAX_MINT_PER_ADDRESS: https://github.com/sherlock-audit/2023-10-looksrare/blob/main/contracts-infiltration/contracts/Infiltration.sol#L477-L480However a malicious participant Alice could set up a contract to call the mint function from different child contracts. This would allow Alice to gain a significant advantage over other participants, since as one can see in the other issues reported:
Having more agents can be used to influence the game outcome especially in the later stages.
Impact
A participant can buy an arbitrarily large amount of tokens and influence the game outcome
Code Snippet
Tool used
Manual Review
Recommendation
Please consider set up a whitelisted minting
Duplicate of #24