The mintBatch function improperly calculates minting fees, potentially allowing a malicious user to exploit this oversight by batch minting multiple tokens to themselves and paying only the fee for a single token issuance.
Vulnerability Detail
In the mintBatch function, the minting fee is calculated and collected for a single issuance quantity (amount_). However, the function issues the specified amount of tokens to each receiver in the `receiversarray. This discrepancy means that while the fee is only paid once foramounttokens, the function could mintamount * receivers_.length` tokens, effectively allowing users to bypass the correct fee payment by setting multiple receivers, especially if all receivers are the same account.
function mintBatch(
address[] calldata receivers_,
uint256 tokenId_,
uint256 amount_,
bytes calldata data_
) external payable {
// wake-disable-next-line reentrancy
FEE_MANAGER.collectMintFee{value: msg.value}(
this, tokenId_, amount_, msg.sender, address(0), works[tokenId_].strategy
);
for (uint256 i = 0; i < receivers_.length; i++) {
_issue(receivers_[i], tokenId_, amount_, data_); // @audit fee is calculated for amount_ but issue length * amount_s
}
_refundExcess();
}
ast3ros
high
Bypass minting fee in mintBatch function
Summary
The
mintBatch
function improperly calculates minting fees, potentially allowing a malicious user to exploit this oversight by batch minting multiple tokens to themselves and paying only the fee for a single token issuance.Vulnerability Detail
In the
mintBatch
function, the minting fee is calculated and collected for a single issuance quantity (amount_
). However, the function issues the specified amount of tokens to each receiver in the `receiversarray. This discrepancy means that while the fee is only paid once for
amounttokens, the function could mint
amount * receivers_.length` tokens, effectively allowing users to bypass the correct fee payment by setting multiple receivers, especially if all receivers are the same account.https://github.com/sherlock-audit/2024-04-titles/blob/2ac20d07d0b4562c0b0ee15e1becbf786f0ed896/wallflower-contract-v2/src/editions/Edition.sol#L304-L320
Impact
Lead to significant revenue loss as users can mint multiple tokens while evading the intended fee structure.
Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/2ac20d07d0b4562c0b0ee15e1becbf786f0ed896/wallflower-contract-v2/src/editions/Edition.sol#L304-L320
Tool used
Manual Review
Recommendation
Adjust the calculation of the mint fee to account for the total number of tokens being issued across all receivers
Duplicate of #264