Closed sherlock-admin4 closed 4 months ago
Escalate
Dup of #264
Escalate
Dup of #264
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Agree with the escalation, planning to accept and duplicate with #264
Result: High Duplicate of #264
AlexCzm
high
Users can
mintBatch
to mint out but pay for one token onlySummary
Edition.mintBatch()
lack a critical check that allows users to pay for one token and mint more than one token.Vulnerability Detail
mintBatch
allow users to mint a token to a set of receivers. The msg.sender pays the mint fee foramount_
tokens. Next, in the for loop theamount_
of tokenId is sent to eachreceiver
. Total tokens minted isreceivers_.length * amount_
but the mint fee collected is foramount_
tokens.https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/editions/Edition.sol#L299-L320
Impact
Users can mint more tokens than they paid for. Protocol, creator, etc collects (almost) no fees.
Code Snippet
Provided above
Tool used
Manual Review
Recommendation
Consider updating 'mintBatch
function and require that the msg.sender to pay for
amount * receivers.length` tokens:Duplicate of #264