Closed sherlock-admin3 closed 4 months ago
Lef
medium
function mint() does not check if user refers himself.
The function does not have the proper checks in place to prohibit self-referring.
Medium, because it requires user to interact from smart contract directly.
Medium, because it can lead to limited amount of funds lost for the protocol ( half of ref fee ).
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L228
Just add this to Edition.t.sol
receive() external payable {} function test_mint_new() public { uint256 initialSenderBalance = address(this).balance; edition.mint{value: 0.0106 ether}( address(1), 1, 1, address(this), new bytes(0) ); uint256 FinalSenderBalance = address(this).balance; assertEq(edition.totalSupply(1), 1); assertEq(initialSenderBalance - FinalSenderBalance, 0.0103 ether); assertEq(address(0xc0ffee).balance, 0.0003 ether); }
VS Code
add a require check to Edition.sol
function mint( address to_, uint256 tokenId_, uint256 amount_, address referrer_, bytes calldata data_ ) external payable override { require(msg.sender != referrer_, 'self-referring not allowed'); FEE_MANAGER.collectMintFee{value: msg.value}( this, tokenId_, amount_, msg.sender, referrer_, works[tokenId_].strategy ); _issue(to_, tokenId_, amount_, data_); _refundExcess(); }
Lef
medium
[M-02] Edition.sol:mint() #L228 user can mint and refer himself to avoid paying full fee
Summary
function mint() does not check if user refers himself.
Vulnerability Detail
The function does not have the proper checks in place to prohibit self-referring.
Likelihood
Medium, because it requires user to interact from smart contract directly.
Impact
Medium, because it can lead to limited amount of funds lost for the protocol ( half of ref fee ).
Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L228
Just add this to Edition.t.sol
Tool used
VS Code
Recommendation
add a require check to Edition.sol