The presentReceiver
input in buyPresent(address presentReceiver)
function used as address to burn tokens from
, which leads to unathorized burning.
Importantly, this attack is possible if only user approved >= 1e18 tokens to the contract.
In the buyPresent(address presentReceiver)
,
presentReceiver
is an input value for the burn
function
At the same time minted NFT is going to the msg.sender
As a result, presentReceiver is effectively paying for the attackers NFTs.
Foundry tests will look like this:
Full test on GitHub repo fork
Foundry
Use msg.sender
inside the function body.
Current implementation allows a malicious actor to burn someone else's tokens as the burn function doesn't actually check for approvals.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.