The mintBatch function fails and causes a revert after the first iteration of the loop because it attempts to send the entire msg.value with each iteration, depleting it after the first use.
Vulnerability Detail
During batch minting, the mintBatch function iterates through each tokenId and attempts to transfer the entire msg.value to the FEE_MANAGER for each tokenId. After the initial transaction, no funds remain for subsequent iterations, causing the function to revert in the second loop due to insuffiscient msg.value.
function mintBatch(
address to_,
uint256[] calldata tokenIds_,
uint256[] calldata amounts_,
bytes calldata data_
) external payable {
for (uint256 i = 0; i < tokenIds_.length; i++) {
Work storage work = works[tokenIds_[i]];
// wake-disable-next-line reentrancy
FEE_MANAGER.collectMintFee{value: msg.value}( // @audit revert because tries to send msg.value each time
this, tokenIds_[i], amounts_[i], msg.sender, address(0), work.strategy
);
_checkTime(work.opensAt, work.closesAt);
_updateSupply(work, amounts_[i]);
}
_batchMint(to_, tokenIds_, amounts_, data_);
_refundExcess();
}
The mintBatch function is not functional under current conditions and reverts if multiple tokens are attempted to be minted in one transaction, limiting the usability of the batch minting feature.
ast3ros
medium
mintBatch function doesn't work as expected
Summary
The
mintBatch
function fails and causes a revert after the first iteration of the loop because it attempts to send the entiremsg.value
with each iteration, depleting it after the first use.Vulnerability Detail
During batch minting, the
mintBatch
function iterates through eachtokenId
and attempts to transfer the entiremsg.value
to theFEE_MANAGER
for each tokenId. After the initial transaction, no funds remain for subsequent iterations, causing the function to revert in the second loop due to insuffiscientmsg.value
.https://github.com/sherlock-audit/2024-04-titles/blob/2ac20d07d0b4562c0b0ee15e1becbf786f0ed896/wallflower-contract-v2/src/editions/Edition.sol#L277-L297
Impact
The
mintBatch
function is not functional under current conditions and reverts if multiple tokens are attempted to be minted in one transaction, limiting the usability of the batch minting feature.Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/2ac20d07d0b4562c0b0ee15e1becbf786f0ed896/wallflower-contract-v2/src/editions/Edition.sol#L277-L297
Tool used
Manual Review
Recommendation
Modify the
mintBatch
function to send the totalmsg.value
required for all tokens to theFEE_MANAGER
prior to looping through the tokenIdsDuplicate of #280