search

sherlock-audit / 2024-04-titles-judging

9 stars 6 forks source link

Yu3H0 - The mintBatch function spends only one share of the money to get multiple mint #214

Closed sherlock-admin3 closed 4 months ago

sherlock-admin3 commented 4 months ago

Yu3H0

high

The mintBatch function spends only one share of the money to get multiple mint

Summary

The mintBatch function spends only one share of the money to get multiple mint

Vulnerability Detail

in mintBatch function, attacker can only use one share of the money, but can give every receiver amount of mint.

function mintBatch(
        address[] calldata receivers_,
        uint256 tokenId_,
        uint256 amount_,
        bytes calldata data_
    ) external payable {
        // wake-disable-next-line reentrancy
        FEE_MANAGER.collectMintFee{value: msg.value}(
            this, tokenId_, amount_, msg.sender, address(0), works[tokenId_].strategy // one time pay
        );

        for (uint256 i = 0; i < receivers_.length; i++) {
            _issue(receivers_[i], tokenId_, amount_, data_); // multi time mint
        }

        _refundExcess();
    }

it will cause the vaule drop, and make funds loss.

Impact

funds loss

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L304

Tool used

Manual Review

Recommendation

for every receiver, spend one share of money

MageIntern commented 3 months ago

Escalate

It is dup of https://github.com/sherlock-audit/2024-04-titles-judging/issues/280

sherlock-admin3 commented 3 months ago

Escalate

It is dup of https://github.com/sherlock-audit/2024-04-titles-judging/issues/280

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

WangSecurity commented 3 months ago

I believe this report is insufficient to be a duplicate of #280 . Poor quality and doesn't explain that the msg.value is spent in the first iteration and then in the second it reverts. Hence, planning to reject the escalation and leave the issue as it is.

Evert0x commented 3 months ago

Result: Invalid Unique

sherlock-admin4 commented 3 months ago

Escalations have been resolved successfully!

Escalation status: