search

sherlock-audit / 2024-04-titles-judging

10 stars 7 forks source link

valentin2304 - mintBatch function in Edition is vulnerable to sybil attack #289

Closed sherlock-admin4 closed 5 months ago

sherlock-admin4 commented 5 months ago

valentin2304

high

mintBatch function in Edition is vulnerable to sybil attack

High

Summary

mintBatch function in Edition is responsible for minting a token of work to a set of receivers, but doesn't calculate the mintFee correctly, leaving the protocol vulnerable to an attack where a malicious user puts his address multiple times in receivers_ and ends up paying the mint fee for only one mint;

Vulnerability Detail

function mintBatch(
        address[] calldata receivers_, //[address(user), address(user), address(user)]
        uint256 tokenId_,
        uint256 amount_,  // 1
        bytes calldata data_
    ) external payable {
        // wake-disable-next-line reentrancy
        FEE_MANAGER.collectMintFee{value: msg.value}(
            this, tokenId_, amount_, msg.sender, address(0), works[tokenId_].strategy //<- amount should be multiplied by receivers_.length 
        );

        for (uint256 i = 0; i < receivers_.length; i++) {
            _issue(receivers_[i], tokenId_, amount_, data_); //<- minthBatch will issue several works meanwhile the user only paid for one mint
        }

        _refundExcess();
    }

If malicious user calls mintBatch with receivers_ = [address(user), address(user), address(user)] and amount_ = 1 user will pay a fee for one mint, but will receive 3 works.

Impact

Loss of funds for the protocol

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L304-#L320

Tool used

Manual Review

Recommendation

In mintBatch function change the call to fee manager to FEE_MANAGER.collectMintFee{value: msg.value}( this, tokenId_, amount_ * receivers_.length, msg.sender, address(0), works[tokenId_].strategy);

Duplicate of #264

0xjuaan commented 4 months ago

Escalate

Dupe of https://github.com/sherlock-audit/2024-04-titles-judging/issues/264, not https://github.com/sherlock-audit/2024-04-titles-judging/issues/280

sherlock-admin3 commented 4 months ago

Escalate

Dupe of https://github.com/sherlock-audit/2024-04-titles-judging/issues/264, not https://github.com/sherlock-audit/2024-04-titles-judging/issues/280

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

WangSecurity commented 4 months ago

Agree with the escalation, planning to accept and duplicate with #264

Evert0x commented 4 months ago

Result: High Duplicate of #264

sherlock-admin4 commented 4 months ago

Escalations have been resolved successfully!

Escalation status: