Hash for Project is not controlled - projects with the same hash are possible, and NFTs with the same URI #120
Labels
bug
Something isn't working
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
valid
Lines of code
https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/HomeFi.sol#L210-L232
Vulnerability details
Impact
Inputed _hash for HomeFi.sol is the URI for NFTs. Contracts do not check duplicates and do not check is it correct or not. It is not dangerous within smart-contracts (as NFT are not used much here), but it can be important together with frontend or backend. Hashes will not be unique.
Proof of Concept
createProject() https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/HomeFi.sol#L210-L232
mintNFT() https://github.com/code-423n4/2022-08-rigor/blob/5ab7ea84a1516cb726421ef690af5bc41029f88f/contracts/HomeFi.sol#L284-L297
Tools Used
Hardhat
Recommended Mitigation Steps
Check is it necessary for NFT hashes to be unique - if so, write checks.
The text was updated successfully, but these errors were encountered: