Users can mint tokens for free in the second mintBatch function
Summary
The second mintBatch function in Edition.sol enables users to 'Mint a token to a set of receivers for the given work'. The major issue here is that the mint fee is paid for only the first receiver, causing the rest of the token mints to be free.
As we can see in the second mintBatch function, the FEE_MANAGER.collectMintFee is called only once for an amount_ of tokenId_. Following that, all receivers are iterated through a for loop, where they are all issued an amount_ of tokenId_.
Therefore, the mint fee is only paid for the first receiver, while all other receivers get the amount_ of tokenId_ for free.
For example:
amount_ is equal to 100
receivers_.length = 10
user pays for only 100 tokens, while 100 * 10 are actually issued
Impact
This will enable a malicious user to freely mint tokens for any work. Furthermore, the malicious user can easily mint enough tokens to reach the maxSupply limit
trachev
high
Users can mint tokens for free in the second
mintBatch
functionSummary
The second
mintBatch
function in Edition.sol enables users to 'Mint a token to a set of receivers for the given work'. The major issue here is that the mint fee is paid for only the first receiver, causing the rest of the token mints to be free.Vulnerability Detail
As we can see in the second
mintBatch
function, theFEE_MANAGER.collectMintFee
is called only once for anamount_
oftokenId_
. Following that, allreceivers
are iterated through a for loop, where they are all issued anamount_
oftokenId_
.Therefore, the mint fee is only paid for the first receiver, while all other receivers get the
amount_
oftokenId_
for free. For example:amount_
is equal to 100receivers_.length
= 10Impact
This will enable a malicious user to freely mint tokens for any work. Furthermore, the malicious user can easily mint enough tokens to reach the
maxSupply
limitCode Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L304-L321
Tool used
Manual Review
Recommendation
Perhaps, multiplying the
amount_
inFEE_MANAGER.collectMintFee
by the number of receivers will be a sufficient fix:Duplicate of #264