trachev - `mintBatch` will revert in almost all cases

[sherlock-admin3]

trachev

medium

mintBatch will revert in almost all cases

Summary

The mintBatch function intends to 'Mint multiple tokens for the given works'. The issue is that if there is more than one element in the tokenIds_ array the function will revert due to a lack of funds to pay for the mint fees.

Vulnerability Detail

In mintBatch all tokenIds provided by the caller are looped through, collecting the mint fee for each work. The problem is that all of the ETH provided by the caller in msg.value will be sent to the FEE_MANAGER in the first iteration of the loop. As we can see in the mintBatch for loop:

for (uint256 i = 0; i < tokenIds_.length; i++) {
          Work storage work = works[tokenIds_[i]];

          // wake-disable-next-line reentrancy
          FEE_MANAGER.collectMintFee{value: msg.value}(
              this, tokenIds_[i], amounts_[i], msg.sender, address(0), work.strategy
          );

          _checkTime(work.opensAt, work.closesAt);
          _updateSupply(work, amounts_[i]);
      }

FEE_MANAGER.collectMintFee{value: msg.value} is called for every tokenId with the same msg.value. Therefore, after the first iteration all of the msg.value will be sent to the FEE_MANAGER. In order for the rest of the iterations to be successful it would be required for their mint fees to be paid by the Edition's contract balance, which is highly likely to be insufficient (0 in most cases).

Impact

The mintBatch function fails in almost all cases.

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L277-L297

Tool used

Manual Review

Recommendation

Do not provide FEE_MANAGER.collectMintFee with the entire msg.value, but a part of it, enough to cover the expected fees.

Duplicate of #280