The Horse Store exhibits a critical functional discrepancy between its Solidity and Huff implementations concerning the minting process. While the Solidity version employs a safeMint
function, ensuring compliance with ERC721's safety checks, the Huff version uses an equivalent to the _mint
function, which lacks these safety measures.
The issue arises due to the differing implementations of the minting function in the two versions of the contract:
Solidity Version (safeMint
): This function performs a safety check by triggering the onERC721Received
callback when transferring a newly minted NFT to a contract. This check ensures that the receiving contract is capable of handling ERC721 tokens, thus preventing tokens from being locked in contracts that do not support them.
Huff Version (_mint
Equivalent): This implementation does not invoke the onERC721Received
callback. As a result, it lacks the safety mechanism to verify whether the recipient contract can handle ERC721 tokens.
The absence of safety checks in the Huff version poses a significant risk. NFTs could be inadvertently transferred to contracts that do not support the ERC721 standard, potentially resulting in the permanent loss of those assets. This undermines the security and reliability of the NFT contract, potentially affecting user trust and the contract's integrity.
The issue was identified through a Proof of Concept (PoC).
To address this issue, it is recommended to update the Huff version of the NFT contract to include a safe minting function akin to safeMint
in Solidity. This function should ensure the onERC721Received
callback is properly called during the minting process.
Implementing these changes is crucial for aligning the Huff version with the expected standards of ERC721 and ensuring the security and reliability of the NFT minting process.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.