search

sherlock-audit / 2024-04-titles-judging

1 stars 1 forks source link

ArsenLupin - The attacker could mint all the tokenId's, but paying the fee only for the 1 tokenId #330

Closed sherlock-admin3 closed 2 months ago

sherlock-admin3 commented 2 months ago

ArsenLupin

high

The attacker could mint all the tokenId's, but paying the fee only for the 1 tokenId

Summary

In the mintBatch function we can mint a token to a set of receivers for the given work. However the function works incorrectly, because the fees is paid only for 1 tokenId, but the issue function mint tokenId in the loop to the different addresses.

Vulnerability Detail

  1. Attacker create many accounts as receivers_
  2. Attacker invoke the mintBatch and pay the fee for minting 1 tokenId. 2.1 - The 1 tokenId is minted for each receiver in the loop till the maxSupply is reached
  3. Attacker receives all the tokenId's while paying only for one tokenId
function test_mintBatchToManyUsers() public {
        address[] memory users = new address[](5);
        users[0] = address(1);
        users[1] = address(2);
        users[2] = address(3);
        users[3] = address(4);
        users[4] = address(5);

        address attacker = address(8888);
        vm.deal(address(attacker), 1 ether);

        console.log("The attacker balance before", address(attacker).balance);
        vm.prank(address(attacker));
        edition.mintBatch{value: 0.01275 ether}(users, 1, 1, "0x");
        console.log("The attacker balance after", address(attacker).balance);
    }

Impact

Attacker could mint all the tokenId's to hisself(accounts that belongs to attacker) and prevent other user's from minting this tokenId

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L304-L320

Tool used

Manual Review / Foundry

Recommendation

Ensure that the correct amount of fees is paid, based on the overall amount of minted tokenId's.

Duplicate of #264

ShaheenRehman commented 1 month ago

Escalate

This finding is a valid dup of #264

sherlock-admin3 commented 1 month ago

Escalate

This finding is a valid dup of #264

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

WangSecurity commented 1 month ago

Agree with the escalation, planning to accept and duplicate with #264

Evert0x commented 1 month ago

Result: High Duplicate of #264

sherlock-admin4 commented 1 month ago

Escalations have been resolved successfully!

Escalation status: