search

sherlock-audit / 2024-04-titles-judging

9 stars 6 forks source link

durov - Incorrect `mintBatch()` logic lets users bypass paying most of the fees #194

Closed sherlock-admin3 closed 4 months ago

sherlock-admin3 commented 4 months ago

durov

medium

Incorrect mintBatch() logic lets users bypass paying most of the fees

Summary

Incorrect mintBatch() logic lets users pay way less fees than they are supposed to.

Vulnerability Detail

In Edition.sol's MintBatch() function issues amount_ of tokens to every address specified in address[] receivers_, but calls FeeManager to collect fees needed to mint amount_ of tokens for only one address. This leads to users being able to mint for multiple addresses while paying for just one.

function mintBatch(
        address[] calldata receivers_,
        uint256 tokenId_,
        uint256 amount_,
        bytes calldata data_
    ) external payable {
        // wake-disable-next-line reentrancy
        FEE_MANAGER.collectMintFee{value: msg.value}(
+           this, tokenId_, amount_, msg.sender, address(0), works[tokenId_].strategy
        );

        for (uint256 i = 0; i < receivers_.length; i++) {
            _issue(receivers_[i], tokenId_, amount_, data_);
        }

        _refundExcess();
    }

Impact

Protocol and creators won't get most of the fees because any users can mint to multiple addresses they own and paying much smaller amounts than they should.

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L304-L320

Tool used

Manual Review

Recommendation

Take fees for every address provided.

FEE_MANAGER.collectMintFee{value: msg.value}(
+           this, tokenId_, amount_*receivers_.length, msg.sender, address(0), works[tokenId_].strategy
        );

Duplicate of #264

sammy-tm commented 4 months ago

Escalate

Dup of #264

sherlock-admin3 commented 4 months ago

Escalate

Dup of #264

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

WangSecurity commented 4 months ago

Agree with the escalation, planning to accept and duplicate with #264

Evert0x commented 4 months ago

Result: High Duplicate of #264

sherlock-admin4 commented 4 months ago

Escalations have been resolved successfully!

Escalation status: