Closed sherlock-admin3 closed 2 months ago
Escalate
Judge Sahab! This finding is a valid dup of #280, In fact this Watson added a coded PoC as well. Thanks!
Escalate
Judge Sahab! This finding is a valid dup of #280, In fact this Watson added a coded PoC as well. Thanks!
You've created a valid escalation!
To remove the escalation from consideration: Delete your comment.
You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.
Agree with the escalation, planning to accept and duplicate with #280
Result: Medium Duplicate of #280
Shaheen
medium
mintBatch()
will always revert for the usersSummary
The
mintBatch(address to_,uint256[] calldata tokenIds_,uint256[] calldata amounts_, bytes calldata data_)
function will always revert for the users with theOutOfFunds
error.Vulnerability Detail
The
mintBatch()
function is in-place to allow users to mint multiple tokens for the given works.As we can see that this function calls the
collectMintFee()
in a loop, thecollectMintFee
takes the fee from the user and then it calls_batchMint()
to mint NFTs to the users.Issue
The problem is that this function calls
collectMintFee()
in a loop & with all the givenmsg.value
. So when the loop iterates the 2nd time, it doesn't have any funds to give to thecollectMintFee()
, so the function reverts the execution with theOutOfFunds
error.Proof-of-Concept
Just wanted to add an intresting additional thing as a proof, when we run the above test without the
vm.expectRevert()
& with foundry verbosity's 3rd level-vvv
, this the output we get:Impact
Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/d7f60952df22da00b772db5d3a8272a988546089/wallflower-contract-v2/src/editions/Edition.sol#L287
Tool used
ChonCh
Recommendation
Do not give all of the given
msg.value
in the first loop's iteration only, caluculate the fee first and then only give that amount as a value to thecollectMintFee()
.Duplicate of #280