search

sherlock-audit / 2024-04-titles-judging

9 stars 6 forks source link

Dots - User can mint the same work multiple times for the price of one #247

Closed sherlock-admin4 closed 4 months ago

sherlock-admin4 commented 4 months ago

Dots

high

User can mint the same work multiple times for the price of one

Summary

User can mint the same work multiple times for the price of one.

Vulnerability Detail

When minting works with mintBatch function in Edition.sol, the FEE_MANAGER.collectMintFee uses the amount_ parameter as if we are going to mint that exact amount. However this is the amount of tokens that we are minting to each receiver, not the whole amount of tokens minted.

Impact

Exploiting the protocol

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L304-L320

function mintBatch(
        address[] calldata receivers_,
        uint256 tokenId_,
        uint256 amount_,
        bytes calldata data_
    ) external payable {
        // wake-disable-next-line reentrancy
        FEE_MANAGER.collectMintFee{value: msg.value}(
            this, tokenId_, amount_, msg.sender, address(0), works[tokenId_].strategy
        );

        for (uint256 i = 0; i < receivers_.length; i++) {
            _issue(receivers_[i], tokenId_, amount_, data_);
        }

        _refundExcess();
    }

Tool used

Manual Review

Recommendation

I'd recommend multiplying the amount_ by receivers_.length.

function mintBatch(
        address[] calldata receivers_,
        uint256 tokenId_,
        uint256 amount_,
        bytes calldata data_
    ) external payable {
        // wake-disable-next-line reentrancy
        FEE_MANAGER.collectMintFee{value: msg.value}(
            this, tokenId_, receivers_.length * amount_, msg.sender, address(0), works[tokenId_].strategy
        );

        for (uint256 i = 0; i < receivers_.length; i++) {
            _issue(receivers_[i], tokenId_, amount_, data_);
        }

        _refundExcess();
    }

Duplicate of #264

Dots69 commented 3 months ago

@Hash01011122 isnt this a dup of https://github.com/sherlock-audit/2024-04-titles-judging/issues/264 ?

0xjuaan commented 3 months ago

Escalate

This is a dupe of the valid issue #264

sherlock-admin3 commented 3 months ago

Escalate

This is a dupe of the valid issue #264

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

WangSecurity commented 3 months ago

Agree with the escalation, planning to accept and duplicate with #264

Evert0x commented 3 months ago

Result: High Duplicate of #264

sherlock-admin4 commented 3 months ago

Escalations have been resolved successfully!

Escalation status: