Closed sherlock-admin3 closed 5 months ago
Escalate
This finding is a valid dup of #280
Escalate
This finding is a valid dup of #280
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Agree with the escalation, planning to accept and duplicate with #280
Result: Medium Duplicate of #280
ArsenLupin
high
The mintBatch function works incorrectly, which could case the revert or the Edition.sol being drained.
Summary
The mintBatch receives the tokenId array as input. Then, it execute the collectMintFee in the loop, the main reson for it is to collect respective fees for the tokenId's. However the function will not work as intended due to msg.value behaviour in the loop.
Vulnerability Detail
Let's take a look on the loop.
Imagine:
This means that using msg.value in a for- or while-loop, without extra accounting logic, will either lead to the transaction reverting (when there are no longer sufficient funds for later iterations), or to the contract being drained (when the contract itself has an Eth balance)
Proof of Concept
Impact
Function will not work / Funds could be drained
Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L277-L297
Tool used
Manual Review / Foundry
Recommendation
I would suggest avoid using msg.value in a loop
Duplicate of #280