The mintBatch function fails and causes a revert after the first iteration of the loop because it attempts to send the entire msg.value with each iteration, depleting it after the first use.
Vulnerability Detail
During batch minting, the mintBatch function iterates through each tokenId and attempts to transfer the entire msg.value to the FEE_MANAGER for each tokenId. After the initial transaction, no funds remain for subsequent iterations, causing the function to revert in the second loop due to insuffiscient msg.value.
function mintBatch(
address to_,
uint256[] calldata tokenIds_,
uint256[] calldata amounts_,
bytes calldata data_
) external payable {
for (uint256 i = 0; i < tokenIds_.length; i++) {
Work storage work = works[tokenIds_[i]];
// wake-disable-next-line reentrancy
FEE_MANAGER.collectMintFee{value: msg.value}( // @audit revert because tries to send msg.value each time
this, tokenIds_[i], amounts_[i], msg.sender, address(0), work.strategy
);
_checkTime(work.opensAt, work.closesAt);
_updateSupply(work, amounts_[i]);
}
_batchMint(to_, tokenIds_, amounts_, data_);
_refundExcess();
}
The mintBatch function is not functional under current conditions and reverts if multiple tokens are attempted to be minted in one transaction, limiting the usability of the batch minting feature.
ast3ros
medium
mintBatch function doesn't work as expected
Summary
The
mintBatchfunction fails and causes a revert after the first iteration of the loop because it attempts to send the entiremsg.valuewith each iteration, depleting it after the first use.Vulnerability Detail
During batch minting, the
mintBatchfunction iterates through eachtokenIdand attempts to transfer the entiremsg.valueto theFEE_MANAGERfor each tokenId. After the initial transaction, no funds remain for subsequent iterations, causing the function to revert in the second loop due to insuffiscientmsg.value.https://github.com/sherlock-audit/2024-04-titles/blob/2ac20d07d0b4562c0b0ee15e1becbf786f0ed896/wallflower-contract-v2/src/editions/Edition.sol#L277-L297
Impact
The
mintBatchfunction is not functional under current conditions and reverts if multiple tokens are attempted to be minted in one transaction, limiting the usability of the batch minting feature.Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/2ac20d07d0b4562c0b0ee15e1becbf786f0ed896/wallflower-contract-v2/src/editions/Edition.sol#L277-L297
Tool used
Manual Review
Recommendation
Modify the
mintBatchfunction to send the totalmsg.valuerequired for all tokens to theFEE_MANAGERprior to looping through the tokenIdsDuplicate of #280