Beginner FriendlyFoundryNFT
100 EXP
View results
Submission Details
Severity: high
Valid

HorseStore.huff::_MINT() does not update TOTAL_SUPPLY

Summary

The _MINT() does not update TOTAL_SUPPLY storage, leading to a revert if mintHorse() is called more than once, as subsequent calls with the same token_id 0 result in duplicate minting

Vulnerability Details

Add this test to Base_Test.t.sol and run forge test --mt testMultipleMint -vvvv to validate the issue

function testMultipleMint() public {
vm.startPrank(user);
for (uint256 index; index < 100; ++index) {
horseStore.mintHorse();
}
vm.stopPrank();
assertEq(100, horseStore.totalSupply());
}

A revert occurs when the mintHorse() function is called for the second time, output:

[62292] HorseStoreHuff::testMultipleMint()
├─ [0] VM::startPrank(user: [0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D])
│ └─ ← ()
├─ [50931] 0x6d2eed85750d316088343D6d5e91ca59eb052768::mintHorse()
│ ├─ emit Transfer(from: 0x0000000000000000000000000000000000000000, to: user: [0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D], tokenId: 0)
│ └─ ← ()
├─ [501] 0x6d2eed85750d316088343D6d5e91ca59eb052768::mintHorse()
│ └─ ← revert: ALREADY_MINTED
└─ ← revert: ALREADY_MINTED

Impact

The mintHorse() function is not functioning properly, and users can only successfully call it once.

Tools Used

manual inspection

Recommendations

Update TOTAL_SUPPLY in the _MINT(), Add the following line of code in the _MINT() in HorseStore.huf

// Give tokens to the recipient.
TRANSFER_GIVE_TO() // [from (0x00), to, tokenId]
+ [TOTAL_SUPPLY] sload 0x01 add [TOTAL_SUPPLY] sstore
// Emit the transfer event.
__EVENT_HASH(Transfer) // [sig, from (0x00), to, tokenId]
0x00 0x00 log4 // []
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Failure to increment total supply on mint

Failure to properly load the totalSupply in Huff

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.