First Flight #2: Puppy Raffle

First Flight #2

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

`_safemint()` function causes reentrancy

Nocturnus

Summary

The _safemint() function incorporates the onERC721Received function, which serves to verify the receiver contract's capability to handle NFTs preventing potential situations where NFTs may become permanently locked. This function is utilized in the safeTransferFrom and _safeMint operations of the ERC721 contract.

Vulnerability Details

The vulnerability arises in the selectWinner() function, which calls _safeMint(), a function that includes a callback to the "to" address argument. Functions containing callbacks should be equipped with reentrancy guards to protect against potential malicious actors, both internal and external to the protocol.

The _checkOnERC721Received function responsible for this verification is as follows:

function _safeMint(address to, uint256 tokenId, bytes memory _data) internal virtual {

_mint(to, tokenId);

require(_checkOnERC721Received(address(0), to, tokenId, _data), "ERC721: transfer to non ERC721Receiver implementer");

}

see the _checkOnERC721Received, which is as follows,

function _checkOnERC721Received(address from, address to, uint256 tokenId, bytes memory _data) private returns (bool)

{

if (!to.isContract()) {

return true;

}

bytes memory returndata = to.functionCall(abi.encodeWithSelector(

IERC721Receiver(to).onERC721Received.selector,

_msgSender(),

from,

tokenId,

_data

), "ERC721: transfer to non ERC721Receiver implementer");

bytes4 retval = abi.decode(returndata, (bytes4));

return (retval == _ERC721_RECEIVED);

}

Without a reentrancy guard, the onERC721Received function could permit an attacker-controlled contract to initiate additional mints, posing a significant security risk.

Impact

This vulnerability enables the attacker to perform multiple mints.

Tools Used

Manual code review

Recommendations

It is advisable to integrate a reentrancy modifier from OpenZeppelin or other reputable security libraries to prevent any potential reentrancy attacks. Implementing this safeguard will significantly increase the security and robustness of the protocol, mitigating the risk of unauthorized mints and other associated vulnerabilities.

Updates

Lead Judging Commences

Hamiltonite Lead Judge almost 2 years ago

Submission Judgement Published

Invalidated

Reason: Other

Rewards breakdown

nSLOC

143

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.