Closed sherlock-admin2 closed 6 months ago
1 comment(s) were left on this issue during the judging contest.
takarez commented:
valid because { This is valid and the watson explained how a the exploit looks like; which is of two token ids; but i consider it a dupp of 109 because of the same underlying cause }
popeye
high
Multiple owners could show "ownership" of the same token ID in
CouncilMember.sol
Summary
This could allow duplicate token IDs to be created. Specifically, when an NFT is burned, its token ID is not invalidated. This allows the token ID to be reused in future mints, violating the ERC-721 standard and creating two tokens with the same ID.
Vulnerability Detail
The vulnerability stems from how
CouncilMember::mint
function rely ontotalSupply
to determine the next token ID.In
mint()
, the new token ID is simply the currenttotalSupply
:When burning in
burn()
,totalSupply
is reduced but the specific burnedtokenId
is not tracked:This allows the burned
tokenId
to be reused iftotalSupply
reaches that number again.On
ERC721Upgradeable::_mint
openzeppelin mentioned in the natspec:Impact
This vulnerability breaks the fundamental ERC-721 requirement that each token ID must be unique and not assigned multiple owners.
If exploited, it would be possible for multiple wallet addresses to show "ownership" of the same token ID. This destroys the reliability of the NFT's identity and ownership tracking.
Code Snippet
https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L173-L182 https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L210-L222
Proof of Concept
Alice: A member with the
GOVERNANCE_COUNCIL_ROLE
, responsible for minting and burning tokens Bob: A council member and the owner of (tokenId 5
)totalSupply
is now 9.totalSupply
is 9.So at the end of this example:
Tool used
Manual Review
Recommendation
Independent Counter for Token IDs:
Implement a separate counter for token IDs to ensure uniqueness.
Modify Mint Function:
Update the mint function to use
_tokenIdCounter
for new token IDs.Duplicate of #199