First Flight #7: Horse Store
First Flight #7
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

[HUFF] `TOTAL_SUPPLY()` is not updated

0x18a6

Summary

MINT_HORSE() has a vulnerability where TOTAL_SUPPLY is not updated during each minting operation.

Vulnerability Details

The vulnerability lies in the MINT_HORSE() macro. TOTAL_SUPPLY is supposed to be incremented during each minting operation. Instead, It returns 0 because there's no logic to update it.

Impact

The impact of this vulnerability is high. The uniqueness of token IDs is a fundamental assumption in ERC721. Notice that _MINT() takes TOTAL_SUPPLY as input for tokenId:

#define macro MINT_HORSE() = takes (0) returns (0) {
[TOTAL_SUPPLY] // tokenId
caller // to
_MINT() // input stack: [to, tokenId]
stop
}

This means that if MINT_HORSE() is called multiple times, all the new tokens will have the same ID which could lead to unexpected behavior.

PoC

address attacker = makeAddr("0x18a6");
function test_mintOneHorse() external {
// rationale: check if someone mints one horse, total supply is updated
vm.prank(attacker);
horseStore.mintHorse();
assertEq(horseStore.totalSupply(), 1);
/*
@audit-info [HUFF] FAIL. Reason: assertion failed
*/
}

Tools Used

Foundry test.

Recommendations

Add logic in MINT_HORSE() macro to update the supply:

#define constant ONE = 0x01
#define macro MINT_HORSE() = takes (0) returns (0) {
[TOTAL_SUPPLY] // [TOTAL_SUPPLY]
caller // [msg.sender, TOTAL_SUPPLY]
swap1 dup1 sload [ONE] add [TOTAL_SUPPLY] sstore swap1 // this updates TOTAL_SUPPLY
_MINT() // []
stop // []
}
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Failure to increment total supply on mint

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.