First Flight #7: Horse Store
First Flight #7
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Incorrect loading of totalSupply from storage makes it impossible to mint more than one horse

ceseshi

Summary

The MINT_HORSE Huff macro is passing TOTAL_SUPPLY as the value for tokenId (which is zero), instead of the stored value of totalSupply, so the tokenId to mint is always zero.

Vulnerability Details

In line 75 of HorseStore.huff, the value of the TOTAL_SUPPLY pointer is being passed as total supply

#define macro MINT_HORSE() = takes (0) returns (0) {
[TOTAL_SUPPLY] // [TOTAL_SUPPLY]
@> caller // [msg.sender, TOTAL_SUPPLY]
_MINT() // []
stop // []
}

Impact

Only one horse can be minted, and subsequent mints will revert.

Tools Used

Foundry, Manual review

Proof of Concept

This is a test that mints two horses, and expects a revert in the second mint.

function testMultipleMintFailsHuff() public {
vm.startPrank(user);
horseStore.mintHorse();
vm.expectRevert();
horseStore.mintHorse();
}

Run Huff test

forge test --mc HorseStoreHuff --mt testFeedingMakesHappyHorse

The test will pass, confirming that the second mint reverts.

Running 1 test for test/HorseStoreHuff.t.sol:HorseStoreHuff
[PASS] testMultipleMintFailsHuff() (gas: 60297)
Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 1.40s

Recommended Mitigation

Correctly load value of totalSupply

Load the value from the storage location

#define macro MINT_HORSE() = takes (0) returns (0) {
[TOTAL_SUPPLY] // [TOTAL_SUPPLY]
- caller // [msg.sender, TOTAL_SUPPLY]
+ sload // [totalSupply]
+ caller // [msg.sender, totalSupply]
_MINT() // []
stop // []
}
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Failure to properly load the totalSupply in Huff

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.