The mintBatch function intends to 'Mint multiple tokens for the given works'. The issue is that if there is more than one element in the tokenIds_ array the function will revert due to a lack of funds to pay for the mint fees.
Vulnerability Detail
In mintBatch all tokenIds provided by the caller are looped through, collecting the mint fee for each work. The problem is that all of the ETH provided by the caller in msg.value will be sent to the FEE_MANAGER in the first iteration of the loop.
As we can see in the mintBatch for loop:
for (uint256 i = 0; i < tokenIds_.length; i++) {
Work storage work = works[tokenIds_[i]];
// wake-disable-next-line reentrancy
FEE_MANAGER.collectMintFee{value: msg.value}(
this, tokenIds_[i], amounts_[i], msg.sender, address(0), work.strategy
);
_checkTime(work.opensAt, work.closesAt);
_updateSupply(work, amounts_[i]);
}
FEE_MANAGER.collectMintFee{value: msg.value} is called for every tokenId with the same msg.value. Therefore, after the first iteration all of the msg.value will be sent to the FEE_MANAGER. In order for the rest of the iterations to be successful it would be required for their mint fees to be paid by the Edition's contract balance, which is highly likely to be insufficient (0 in most cases).
trachev
medium
mintBatch
will revert in almost all casesSummary
The
mintBatch
function intends to 'Mint multiple tokens for the given works'. The issue is that if there is more than one element in thetokenIds_
array the function will revert due to a lack of funds to pay for the mint fees.Vulnerability Detail
In
mintBatch
alltokenIds
provided by the caller are looped through, collecting the mint fee for each work. The problem is that all of the ETH provided by the caller inmsg.value
will be sent to theFEE_MANAGER
in the first iteration of the loop. As we can see in themintBatch
for loop:FEE_MANAGER.collectMintFee{value: msg.value}
is called for everytokenId
with the samemsg.value
. Therefore, after the first iteration all of themsg.value
will be sent to theFEE_MANAGER
. In order for the rest of the iterations to be successful it would be required for their mint fees to be paid by the Edition's contract balance, which is highly likely to be insufficient (0 in most cases).Impact
The
mintBatch
function fails in almost all cases.Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L277-L297
Tool used
Manual Review
Recommendation
Do not provide
FEE_MANAGER.collectMintFee
with the entiremsg.value
, but a part of it, enough to cover the expected fees.Duplicate of #280