search

sherlock-audit / 2024-04-titles-judging

12 stars 9 forks source link

0x486776 - `Edition::mintBatch` receives less money than it should. #187

Closed sherlock-admin4 closed 6 months ago

sherlock-admin4 commented 6 months ago

0x486776

high

Edition::mintBatch receives less money than it should.

Summary

Edition::mintBatch only receives the price for one buyer.

Vulnerability Detail

As seen at L312 of Edition::mintBatch, it receives only the price for one buyer. In fact, it should receive the price for all receivers.

    function mintBatch(
        address[] calldata receivers_,
        uint256 tokenId_,
        uint256 amount_,
        bytes calldata data_
    ) external payable {
        // wake-disable-next-line reentrancy
        FEE_MANAGER.collectMintFee{value: msg.value}(
312         this, tokenId_, amount_, msg.sender, address(0), works[tokenId_].strategy
        );

        for (uint256 i = 0; i < receivers_.length; i++) {
            _issue(receivers_[i], tokenId_, amount_, data_);
        }

        _refundExcess();
    }

Impact

The protocol and publishers incur a loss when selling to several receivers at once.

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L304-L320

Tool used

Manual Review

Recommendation

Edition::mintBatch should be fixed as follows.

    function mintBatch(
        address[] calldata receivers_,
        uint256 tokenId_,
        uint256 amount_,
        bytes calldata data_
    ) external payable {
        // wake-disable-next-line reentrancy
        FEE_MANAGER.collectMintFee{value: msg.value}(
-           this, tokenId_, amount_, msg.sender, address(0), works[tokenId_].strategy
+           this, tokenId_, amount_ * receivers_.length, msg.sender, address(0), works[tokenId_].strategy
        );

        for (uint256 i = 0; i < receivers_.length; i++) {
            _issue(receivers_[i], tokenId_, amount_, data_);
        }

        _refundExcess();
    }

Duplicate of #264

sammy-tm commented 5 months ago

Escalate

Dup of #264

sherlock-admin3 commented 5 months ago

Escalate

Dup of #264

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

WangSecurity commented 5 months ago

Agree with the escalation, planning to accept and duplicate with #264

Evert0x commented 5 months ago

Result: High Duplicate of #264

sherlock-admin4 commented 5 months ago

Escalations have been resolved successfully!

Escalation status: