search

sherlock-audit / 2024-04-titles-judging

9 stars 6 forks source link

0x73696d616f - `Edition::mintBatch(address[] calldata receivers_, ...)` calculates incorrect fees for minters #223

Closed sherlock-admin4 closed 4 months ago

sherlock-admin4 commented 4 months ago

0x73696d616f

high

Edition::mintBatch(address[] calldata receivers_, ...) calculates incorrect fees for minters

Summary

Edition::mintBatch(address[] calldata receivers_, ...) allows minters to mint the same work (tokenId) to several receivers, but does not charge fees for the equivalent amount of tokens minted.

Vulnerability Detail

Edition::mintBatch(address[] calldata receivers_, ...) charges the mint fee only on the amount sent as argument, but an array of receivers will receive the tokens. This means that minters are able to mint tokens n times cheaper than expected. For example, if a minter wants to mint 10 tokens, it would pay amount * totalFees = 10 * totalFees. However, the minter is able to call Edition::mintBatch(address[] calldata receivers_, ...) with an amount of 1 and 10 receivers (its address) and pay 10 times less fees.

Impact

Fee manipulation and severe yield loss for everyone involved except the minter.

Code Snippet

Edition::mintBatch(address[] calldata receivers_, ...):

function mintBatch(
    address[] calldata receivers_,
    uint256 tokenId_,
    uint256 amount_,
    bytes calldata data_
) external payable {
    // wake-disable-next-line reentrancy
    FEE_MANAGER.collectMintFee{value: msg.value}(
        this, tokenId_, amount_, msg.sender, address(0), works[tokenId_].strategy
    );

    for (uint256 i = 0; i < receivers_.length; i++) {
        _issue(receivers_[i], tokenId_, amount_, data_);
    }

    _refundExcess();
}

Tool used

Manual Review

Vscode

Recommendation

The fees charged should be amount * receivers.length.

Duplicate of #264