search

sherlock-audit / 2024-04-titles-judging

6 stars 6 forks source link

Varun_05 - mintBatch mints more tokens than the amount on which the fees was applied. #291

Closed sherlock-admin4 closed 2 months ago

sherlock-admin4 commented 3 months ago

Varun_05

high

mintBatch mints more tokens than the amount on which the fees was applied.

Summary

Fees is applied on the amount of tokens a user requests to mint but there is Discrepancy between the tokens on which the fees was applied and total tokens that are minted.

Vulnerability Detail

Following is mintBatch function 

function mintBatch(
        address[] calldata receivers_,
        uint256 tokenId_,
        uint256 amount_,
        bytes calldata data_
    ) external payable {
        // wake-disable-next-line reentrancy
        FEE_MANAGER.collectMintFee{value: msg.value}(
            this, tokenId_, amount_, msg.sender, address(0), works[tokenId_].strategy
        );

        for (uint256 i = 0; i < receivers_.length; i++) {
            _issue(receivers_[i], tokenId_, amount_, data_);
        }

        _refundExcess();
    }

From above it is clear that fee is applied only on amount number of tokens. But when the for loop is executed it issues each receiver tokens = amount number of tokens essentially total tokens minted are = number of receivers*amount whereas the fees was only collected for amount number of tokens thus allowing minting of excess tokens without paying any fee.

Impact

A user can mint tokens by paying only very less fee than they should because number of receivers can be any number(even same user as every array element).

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/editions/Edition.sol#L316

Tool used

Manual Review

Recommendation

make the following change in the code

--- for (uint256 i = 0; i < receivers_.length; i++) {
            _issue(receivers_[i], tokenId_, amount_, data_);
        }
+++  for (uint256 i = 0; i < receivers_.length; i++) {
            _issue(receivers_[i], tokenId_, amount_/(receivers_.length) , data_);
        }

Duplicate of #264

vsharma4394 commented 2 months ago

Escalate

This is a valid duplicate of #264.

sherlock-admin3 commented 2 months ago

Escalate

This is a valid duplicate of #264.

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

WangSecurity commented 2 months ago

Agree with the escalation, planning to accept and duplicate with #264

Evert0x commented 2 months ago

Result: High Duplicate of #264

sherlock-admin4 commented 2 months ago

Escalations have been resolved successfully!

Escalation status: