Closed sherlock-admin3 closed 4 months ago
Escalate This is a dup of #280 and is valid
Escalate This is a dup of #280 and is valid
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Agree with the escalation, planning to accept and duplicate with #280
Result: Medium Duplicate of #280
sammy
high
Edition.sol::mintBatch()
will always revert fortokenIds_.length
greater than 1Summary
The
mintBatch()
function is used to mint multiple tokens in one transaction. However, doing so will cause the function to revert.Vulnerability Detail
The
mintBatch()
loops through thetokenIds_
array and calls theFEE_MANAGER.collectMintFee()
function to collect the fee for each mint :This logic is incorrect as in the first iteration of the loop,
msg.value
amount of wei is sent to theFEE_MANAGER
contract. Subsequently, during thecollectMintFee()
function call, theFEE_MANAGER
contract spends only the mint fee amount and keeps the rest ofmsg.value
in the contract. Because of this, during the next iteration of the loop, theEdition.sol
contract does not have enough balance to call theFEE_MANAGER.collectMintFee()
with the samemsg.value
amount as in the first iteration. This will cause the transaction to revert.Note that the value of
msg.value
remains constant in a single function call and theEdition.sol
contract does not hold any balance before themintBatch()
function is called.Impact
DOS/ loss of functionality/ unexpected revert
Code Snippet
Tool used
Manual Review
Recommendation
Make the following changes in the function :
Duplicate of #280