Closed sherlock-admin4 closed 2 months ago
Escalate
This is a duplicate of #280
Escalate
This is a duplicate of #280
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Agree with the escalation, planning to accept and duplicate with #280
Result: Medium Duplicate of #280
KupiaSec
high
Improper handling of
msg.value
in theEdition::mintBatch
functionSummary
The Edition::mintBatch function is designed to mint multiple tokens for the given works and minter should send required amount of
Ether
asmsg.value
. Howevermsg.value
is used within a loop and it will try to pull much moreEther
fromEdition
than sent fromminter
.Vulnerability Detail
Users are able to use the Edition::mintBatch function to mint multiple tokens for the given works. The current implementation of the
Edition::mintBatch
function is as follows:As evident from the provided code, at L287 the
msg.value
is sent to theFeeManager
contract multiple times within a loop. This implementation flaw could result in the unintended drainage ofEther
from theEdition
contract.If the
Edition
contract has a sufficient Ether balance, moreEth
is transfered toFEE_MANAGER
. However, if theEdition
contract'sEther
balance is depleted, themintBatch
function will always revert due to insufficient funds.Impact
There are two potential impacts in the
Edition::mintBatch
function implementation:If the
Edition
contract has a sufficientEther
balance, minters may be able to drain the contract'sEther
by calling themintBatch
function, effectively obtaining multiple items without paying the required amount ofEther
.In the event the
Edition
contract does not have a sufficientEther
balance, any attempt to call themintBatch
function will always result in a revert due to insufficient funds.Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/editions/Edition.sol#L287
Tool used
Manual Review
Recommendation
It is recommended to refactor the implementation of the Edition::mintBatch function to avoid the use of
msg.value
within a loop.Duplicate of #280