Edition.sol::mintBatch allows anyone to mint any amout of NFTs paying the fee only one time.
Summary
The Edition.sol::mintBatch offers a way for a user to mint bigger amounts of tokens in only one transaction. However, this function also allows the mint charging only one fee.
Vulnerability Detail
Any amount of tokens can be minted with the user being charged for one unit of it.
Impact
The whole supply can be instantly minted with only one fee paid.
PoC
```solidity
function test_MintBatchOverloaded() public {
for (uint i = 0; i < 100; i++) {
addresses.push(address(uint160(uint(keccak256(abi.encodePacked(i))))));
}
assertEq(BARBA.balance, 5 ether);
vm.prank(BARBA);
edition.mintBatch{value: 0.1 ether}(addresses, 1, 1,"");
assertEq(BARBA.balance, 5 ether - 0.1 ether);
}
```
Enforce the total value of the batch before handling the rest of the function. Verify if msg.value == ((receivers.length * amount)*mintFee) and also verify the total supply before handling the rest of the logic.
i3arba
high
Edition.sol::mintBatchallows anyone to mint any amout of NFTs paying the fee only one time.Summary
The
Edition.sol::mintBatchoffers a way for a user to mint bigger amounts of tokens in only one transaction. However, this function also allows the mint charging only one fee.Vulnerability Detail
Any amount of tokens can be minted with the user being charged for one unit of it.
Impact
The whole supply can be instantly minted with only one fee paid.
PoC
```solidity function test_MintBatchOverloaded() public { for (uint i = 0; i < 100; i++) { addresses.push(address(uint160(uint(keccak256(abi.encodePacked(i)))))); } assertEq(BARBA.balance, 5 ether); vm.prank(BARBA); edition.mintBatch{value: 0.1 ether}(addresses, 1, 1,""); assertEq(BARBA.balance, 5 ether - 0.1 ether); } ```Code Snippet
https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L277-L297
Tool used
Manual Review
Recommendation
Enforce the total value of the batch before handling the rest of the function. Verify if msg.value == ((receivers.length * amount)*mintFee) and also verify the total supply before handling the rest of the logic.