search

sherlock-audit / 2024-04-titles-judging

1 stars 1 forks source link

KupiaSec - Incorrect Handling of Mint Fees in `Edition::mintBatch` Function #382

Closed sherlock-admin3 closed 2 months ago

sherlock-admin3 commented 2 months ago

KupiaSec

high

Incorrect Handling of Mint Fees in Edition::mintBatch Function

Summary

The Edition::mintBatch function is designed to mint a token to set of receivers for the given work. However mint fee is set incorrectly and protocol collects less fee than it should do.

Vulnerability Detail

The Edition::mintBatch function is designed to allow minting of a token to a set of receivers for the given work. However, the current implementation of the function incorrectly handles the mint fees, resulting in the protocol collecting less fee than it should.

The current implementation of the Edition::mintBatch function is as follows:

Edition.sol
304: function mintBatch(
305:         address[] calldata receivers_,
306:         uint256 tokenId_,
307:         uint256 amount_,
308:         bytes calldata data_
309:     ) external payable {
310:         // wake-disable-next-line reentrancy
311:         FEE_MANAGER.collectMintFee{value: msg.value}(
312:             this, tokenId_, amount_, msg.sender, address(0), works[tokenId_].strategy //@audit amount is set incorrectly
313:         );
314: 
315:         for (uint256 i = 0; i < receivers_.length; i++) {
316:             _issue(receivers_[i], tokenId_, amount_, data_);
317:         }
318: 
319:         _refundExcess();
320:     }

As evident from the provided code, at L312 the function is set to collect the mint fee according the amount_. Additionally, the function sends amount_ number of tokens to each receiver, resulting in a total number of tokens minted that is equal to receivers_length * amount_.

However, the current implementation only collects the mint fee for the amount_ number of tokens, rather than the full quantity minted. This discrepancy will result in a financial loss for the protocol.

Impact

Due to the incorrect setting of amount_ in the Edition::mintBatch function implementation, minters may be able to mint a significantly higher number of tokens than they are intended to receive. This discrepancy would result in a financial loss for the protocol.

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/editions/Edition.sol#L312

Tool used

Manual Review

Recommendation

It is recommended to fix the function as follows:

Edition.sol
304: function mintBatch(
305:         address[] calldata receivers_,
306:         uint256 tokenId_,
307:         uint256 amount_,
308:         bytes calldata data_
309:     ) external payable {
310:         // wake-disable-next-line reentrancy
311:         FEE_MANAGER.collectMintFee{value: msg.value}(
-312:             this, tokenId_, amount_, msg.sender, address(0), works[tokenId_].strategy
+                 this, tokenId_, amount_ * receivers_.length, msg.sender, address(0), works[tokenId_].strategy
313:         );
314: 
315:         for (uint256 i = 0; i < receivers_.length; i++) {
316:             _issue(receivers_[i], tokenId_, amount_, data_);
317:         }
318: 
319:         _refundExcess();
320:     }

Duplicate of #264

KupiaSecAdmin commented 1 month ago

Escalate

This is a duplicate of #264

sherlock-admin3 commented 1 month ago

Escalate

This is a duplicate of #264

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

WangSecurity commented 1 month ago

Agree with the escalation, planning to accept and duplicate with #264

Evert0x commented 1 month ago

Result: High Duplicate of #264

sherlock-admin4 commented 1 month ago

Escalations have been resolved successfully!

Escalation status: