Assume that the total mint fee (protocol flat fee = 0.0006 ETH + minting fee = 0.0004) for each token is 0.001 ETH. Bob wants to mint 1000 tokens, and he has to pay a minting fee of 1 ETH.
However, the issue is that Bob can mint 1000 tokens without paying the full mint fee of 1 ETH as shown in the step below:
Bob calls the above mintBatch function with receivers_ array set to 1000 x Bob address and the amount_ parameter set to 1.
Line 331 above will compute the mint fee that Bob needs to pay. In this case, the amount_ is one (1), and the total mint fee will be equal to 1 X 0.001 ETH.
The for-loop at Line 315 above will loop 1000 times as the receivers_.length is 1000. Each loop will mint one token to Bob.
At the end of the for loop, Bob will receive 1000 while only paying a minting fee of 0.001 ETH instead of 1 ETH.
In other words, Bob only paid the minting fee for the first token and did not pay the minting fee for the rest of the 999 tokens.
Impact
Loss of fees for the creator and fee recipients as minters can avoid paying the fee using the trick mentioned in this report.
xiaoming90
high
Users can exploit the batch minting feature to avoid paying minting fees for tokens
Summary
Users can exploit the batch minting feature to avoid paying minting fees for tokens, leading to a loss of fees for the creator and fee recipients.
Vulnerability Detail
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L304
Assume that the total mint fee (protocol flat fee = 0.0006 ETH + minting fee = 0.0004) for each token is 0.001 ETH. Bob wants to mint 1000 tokens, and he has to pay a minting fee of 1 ETH.
However, the issue is that Bob can mint 1000 tokens without paying the full mint fee of 1 ETH as shown in the step below:
Bob calls the above
mintBatch
function withreceivers_
array set to1000 x Bob address
and theamount_
parameter set to1
.Line 331 above will compute the mint fee that Bob needs to pay. In this case, the
amount_
is one (1), and the total mint fee will be equal to1 X 0.001 ETH
.The for-loop at Line 315 above will loop 1000 times as the
receivers_.length
is 1000. Each loop will mint one token to Bob.At the end of the for loop, Bob will receive 1000 while only paying a minting fee of 0.001 ETH instead of 1 ETH.
In other words, Bob only paid the minting fee for the first token and did not pay the minting fee for the rest of the 999 tokens.
Impact
Loss of fees for the creator and fee recipients as minters can avoid paying the fee using the trick mentioned in this report.
Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L304
Tool used
Manual Review
Recommendation
Consider the following change to ensure that the minting fee is computed based on the total number of tokens minted to all receivers.