Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

m4ttm - Burning any CouncilMember other than the last can prevent minting #238

Closed
sherlock-admin2 opened this issue Jan 15, 2024 · 1 comment
Closed

m4ttm - Burning any CouncilMember other than the last can prevent minting #238

sherlock-admin2 opened this issue Jan 15, 2024 · 1 comment
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Jan 15, 2024
edited
Loading

m4ttm

high

Burning any CouncilMember other than the last can prevent minting

Summary

CouncilMember is an ERC-721 which contains a mint function that mints at an index according to the supply. Since the burn function allows any token to be burned, the next id to mint can be inconsistent with the supply and can cause mint to revert since the id already exists.

Vulnerability Detail

Add the following test to [https://github.com/sherlock-audit/2024-01-telcoin/blob/0954297f4fefac82d45a79c73f3a4b8eb25f10e9/telcoin-audit/test/sablier/CouncilMember.test.ts#L127](https://github.com/sherlock-audit/2024-01-telcoin/blob/0954297f4fefac82d45a79c73f3a4b8eb25f10e9/telcoin-audit/test/sablier/CouncilMember.test.ts)

describe("mintBurnMint", () => {
            it("mint 2, burn the first, then mint", async () => {
            	// mint two NFTS
                await expect(councilMember.mint(member.address)).emit(councilMember, 'Transfer');
                await expect(councilMember.mint(member.address)).emit(councilMember, 'Transfer');
                
                // burn NFT at index 0
                await councilMember.burn(0, member.address);
                
                // try and mint another NFT - reverts
                await councilMember.mint(member.address);
            });
        });

The mint function mints the next NFT according to the current supply, assuming all consecutive NFTs exist but the burn function allows burning by any index.

Impact

This can brick the mint function temporarily. This state can be corrected, but will require burning and reminting such that all ids are consecutive.

Code Snippet

https://github.com/sherlock-audit/2024-01-telcoin/blob/0954297f4fefac82d45a79c73f3a4b8eb25f10e9/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L173-L182

function mint(
        address newMember
    ) external onlyRole(GOVERNANCE_COUNCIL_ROLE) {
        if (totalSupply() != 0) {
            _retrieve();
        }

        balances.push(0);
        _mint(newMember, totalSupply());
    }

https://github.com/sherlock-audit/2024-01-telcoin/blob/0954297f4fefac82d45a79c73f3a4b8eb25f10e9/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L210-L222

function burn(
        uint256 tokenId,
        address recipient
    ) external onlyRole(GOVERNANCE_COUNCIL_ROLE) {
        require(totalSupply() > 1, "CouncilMember: must maintain council");
        _retrieve();
        _withdrawAll(recipient, tokenId);

        uint256 balance = balances[balances.length - 1];
        balances[tokenId] = balance;
        balances.pop();
        _burn(tokenId);
    }

Tool used

Manual Review

Recommendation

Change the burn function to only allow burning the last ID.

Duplicate of #199
@github-actions github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jan 19, 2024
@sherlock-admin2
Copy link
Contributor Author

1 comment(s) were left on this issue during the judging contest.

takarez commented:

valid because { dupp of 109}

@sherlock-admin2 sherlock-admin2 changed the title Jolly Citron Terrier - Burning any CouncilMember other than the last can prevent minting m4ttm - Burning any CouncilMember other than the last can prevent minting Jan 29, 2024
@sherlock-admin2 sherlock-admin2 added the Reward A payout will be made for this issue label Jan 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sherlock-admin2