[HUFF] `TOTAL_SUPPLY()` is not loaded
Summary
MINT_HORSE() has a vulnerability where TOTAL_SUPPLY value is not loaded during each minting operation.
Vulnerability Details
The vulnerability lies in MINT_HORSE() macro. This macro uses aFREE_STORAGE_POINTER named TOTAL_SUPPLY to point to the ID of the new token. However, instead of loading the value that TOTAL_SUPPLY points to, it feeds the pointer itself as input for _MINT(). This means that the ID of the new token is determined by the constant FREE_STORAGE_POINTER, not the actual total supply of tokens.
Impact
The impact of this vulnerability is high. By always feeding TOTAL_SUPPLY pointer as input for _MINT() instead of the actual value the pointer holds, MINT_HORSE() macro attempts to mint a token with the same ID for every minting operation. Since token IDs must be unique, the EVM will fail these transactions with an "ALREADY_MINTED" error. This effectively prevents any new tokens from being minted after the first one, severely limiting the functionality of the contract.
PoC
function test_MintTwoHorses() external {
// rationale: check if u mint two horses, total supply is updated
vm.prank(address(0x18a6));
horseStore.mintHorse();
vm.prank(address(0x18a7));
horseStore.mintHorse();
assertEq(horseStore.totalSupply(), 2);
/*
@audit-info [HUFF] FAIL. Reason: revert: ALREADY_MINTED
*/
}
Tools Used
Foundry test.
Recommendations
Add logic in MINT_HORSE() macro to load TOTAL_SUPPLY:
Lead Judging Commences
Failure to increment total supply on mint
Failure to properly load the totalSupply in Huff
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.