search

sherlock-audit / 2024-04-titles-judging

1 stars 1 forks source link

trachev - Users can mint tokens for free in the second `mintBatch` function #320

Closed sherlock-admin3 closed 2 months ago

sherlock-admin3 commented 2 months ago

trachev

high

Users can mint tokens for free in the second mintBatch function

Summary

The second mintBatch function in Edition.sol enables users to 'Mint a token to a set of receivers for the given work'. The major issue here is that the mint fee is paid for only the first receiver, causing the rest of the token mints to be free.

Vulnerability Detail

 function mintBatch(
      address[] calldata receivers_,
      uint256 tokenId_,
      uint256 amount_,
      bytes calldata data_
  ) external payable {
      // wake-disable-next-line reentrancy
      FEE_MANAGER.collectMintFee{value: msg.value}(
          this, tokenId_, amount_, msg.sender, address(0), works[tokenId_].strategy
      );

      for (uint256 i = 0; i < receivers_.length; i++) {
          _issue(receivers_[i], tokenId_, amount_, data_);
      }

      _refundExcess();
  }

As we can see in the second mintBatch function, the FEE_MANAGER.collectMintFee is called only once for an amount_ of tokenId_. Following that, all receivers are iterated through a for loop, where they are all issued an amount_ of tokenId_.

Therefore, the mint fee is only paid for the first receiver, while all other receivers get the amount_ of tokenId_ for free. For example:

Impact

This will enable a malicious user to freely mint tokens for any work. Furthermore, the malicious user can easily mint enough tokens to reach the maxSupply limit

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L304-L321

Tool used

Manual Review

Recommendation

Perhaps, multiplying the amount_ in FEE_MANAGER.collectMintFee by the number of receivers will be a sufficient fix:

 FEE_MANAGER.collectMintFee{value: msg.value}(
          this, tokenId_, amount_ * receivers_.length, msg.sender, address(0), works[tokenId_].strategy
      );

Duplicate of #264