-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mstpr-brainbot - If any NFT except the last index is burnt, minting new NFT's are impossible #36
Labels
Duplicate
A valid issue that is a duplicate of an issue with `Has Duplicates` label
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
Comments
amshirif
added
High
A valid High severity issue
Duplicate
A valid issue that is a duplicate of an issue with `Has Duplicates` label
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
labels
Jan 16, 2024
Duplicate issue #6 |
github-actions
bot
added
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
and removed
Duplicate
A valid issue that is a duplicate of an issue with `Has Duplicates` label
labels
Jan 19, 2024
This was referenced Jan 19, 2024
1 comment(s) were left on this issue during the judging contest. takarez commented:
|
nevillehuang
added
Duplicate
A valid issue that is a duplicate of an issue with `Has Duplicates` label
and removed
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
labels
Jan 25, 2024
sherlock-admin2
changed the title
Cool Raspberry Rook - If any NFT except the last index is burnt, minting new NFT's are impossible
mstpr-brainbot - If any NFT except the last index is burnt, minting new NFT's are impossible
Jan 29, 2024
The protocol team fixed this issue in PR/commit https://github.com/telcoin/telcoin-audit/pull/31. |
The Lead Senior Watson signed off on the fix. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Duplicate
A valid issue that is a duplicate of an issue with `Has Duplicates` label
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
mstpr-brainbot
high
If any NFT except the last index is burnt, minting new NFT's are impossible
Summary
When an NFT is burned, the total supply decreases, and the new NFT to be minted uses the totalSupply as the tokenId. Since the totalSupply decreases due to burns, the tokenId assigned to the new NFT will already exist, making the function unusable.
Vulnerability Detail
When an NFT is burned, the totalSupply decreases in the ERC721Enumerable contract and increases in mints.
https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/blob/dee57da57d313b0823699d1c643d3cf461746c7f/contracts/token/ERC721/extensions/ERC721EnumerableUpgradeable.sol#L20-L26
Assume there are Alice, Bob, and Carol, where Alice holds tokenId 0, Bob holds 1, and Carol holds 2. Hence, the total supply is 3.
When Bob's NFT is burned by governance, the totalSupply will be 2.
https://github.com/sherlock-audit/2024-01-telcoin/blob/0954297f4fefac82d45a79c73f3a4b8eb25f10e9/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L210-L222
When a new NFT is minted by governance, the tokenId assigned to the new NFT will be the totalSupply(), which is 2. However, tokenId 2 is already in use and held by Carol. That means minting new tokens is impossible!
Coded PoC:
Impact
High since new NFT's can't be minted, system is forever blocked.
Code Snippet
https://github.com/sherlock-audit/2024-01-telcoin/blob/0954297f4fefac82d45a79c73f3a4b8eb25f10e9/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L173-L182
https://github.com/sherlock-audit/2024-01-telcoin/blob/0954297f4fefac82d45a79c73f3a4b8eb25f10e9/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L210-L222
https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/blob/dee57da57d313b0823699d1c643d3cf461746c7f/contracts/token/ERC721/extensions/ERC721EnumerableUpgradeable.sol#L75-L196
Tool used
Manual Review
Recommendation
Don't mint new tokens to "totalSupply()" but instead mint to a counter value that is held in storage and updated accordingly.
Duplicate of #199
The text was updated successfully, but these errors were encountered: