Default Function Dispatching Calls `totalSupply()`
Summary
The default function called (equivalent to Solidity's fallback()) when interacting with the Huff version of the HorseStore contract (HorseStore.huff) will call the logic of the totalSupply() function.
Vulnerability Details
Below is the code snippet where it is possible to see that the default function that will be called if no signature is matched will be GET_TOTAL_SUPPLY() which contains the logic of totalSupply().
Also, a default MINT_HORSE() is present at the end of the dispatching logic which doesn't really make sense:
Impact
Any user calling the contract with a random or empty function signature will be effectively calling totalSupply() instead of reverting.
Tools Used
Foundry and manual analysis.
Recommendations
It is recommended to add a failed dispatch logic when no function signature matches:
Also, make sure to also remove the last MINT_HORSE() function call at the end of the dispatching logic to avoid any future logic errors:
Lead Judging Commences
MAIN() macro is not properly implemented
Any call data sent to the contract that doesn't contain a function selector will randomly mint a horse.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.