Submission Details
Severity:
TOTAL_SUPPLY variable not updating in _MINT() macro
Summary
TOTAL_SUPPLY variable not updating in _MINT() macro
Vulnerability Details
TOTAL_SUPPLY variable not updating in _MINT() macro, as a resullt, totalSupply = GET_TOTAL_SUPPLY returns 0
PoC:
abstract contract Base_Test is Test {
HorseStore horseStore;
address user = makeAddr("user");
string public constant NFT_NAME = "HorseStore";
string public constant NFT_SYMBOL = "HS";
function setUp() public virtual {
horseStore = new HorseStore();
}
function testTotalSupply() public {
uint256 totalSupply0 = horseStore.totalSupply();
console2.log("totalSupply0:", totalSupply0);
vm.prank(user);
horseStore.mintHorse();
uint256 totalSupply1 = horseStore.totalSupply();
console2.log("totalSupply1:", totalSupply1);
assertEq(totalSupply1, 1); // totalSupply after mint must be equal 1
}
}
Run:
forge test --mt testTotalSupply -vvv
Result:
Running 1 test for test/HorseStoreSolidity.t.sol:HorseStoreSolidity
[PASS] testTotalSupply() (gas: 95303)
Logs:
totalSupply0: 0
totalSupply1: 1
Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 24.35ms
Running 1 test for test/HorseStoreHuff.t.sol:HorseStoreHuff
[FAIL. Reason: assertion failed] testTotalSupply() (gas: 78584)
Logs:
totalSupply0: 0
totalSupply1: 0
Error: a == b not satisfied [uint]
Left: 0
Right: 1
Traces:
[78584] HorseStoreHuff::testTotalSupply()
├─ [2149] 0x6d2eed85750d316088343D6d5e91ca59eb052768::totalSupply() [staticcall]
│ └─ ← 0x0000000000000000000000000000000000000000000000000000000000000000
├─ [0] console::log("totalSupply0:", 0) [staticcall]
│ └─ ← ()
├─ [0] VM::prank(user: [0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D])
│ └─ ← ()
├─ [48831] 0x6d2eed85750d316088343D6d5e91ca59eb052768::61fc6a67()
│ ├─ emit Transfer(from: 0x0000000000000000000000000000000000000000, to: user: [0x6CA6d1e2D5347Bfab1d91e883F1915560e09129D], tokenId: 0)
│ └─ ← ()
├─ [149] 0x6d2eed85750d316088343D6d5e91ca59eb052768::totalSupply() [staticcall]
│ └─ ← 0x0000000000000000000000000000000000000000000000000000000000000000
├─ [0] console::log("totalSupply1:", 0) [staticcall]
│ └─ ← ()
├─ emit log(val: "Error: a == b not satisfied [uint]")
├─ emit log_named_uint(key: " Left", val: 0)
├─ emit log_named_uint(key: " Right", val: 1)
├─ [0] VM::store(VM: [0x7109709ECfa91a80626fF3989D68f67F5b1DD12D], 0x6661696c65640000000000000000000000000000000000000000000000000000, 0x0000000000000000000000000000000000000000000000000000000000000001)
│ └─ ← ()
└─ ← ()
Test result: FAILED. 0 passed; 1 failed; 0 skipped; finished in 1.74s
Ran 2 test suites: 1 tests passed, 1 failed, 0 skipped (2 total tests)
Failing tests:
Encountered 1 failing test in test/HorseStoreHuff.t.sol:HorseStoreHuff
[FAIL. Reason: assertion failed] testTotalSupply() (gas: 78584)
So it passed for solidity version and failed for Huff version.
Impact
Nft token IDs are based on total supply, we won't be able to mint more than 1 horse
Tools Used
forge test
Recommendations
Update at the end of _MINT macro:
+ [TOTAL_SUPPLY] sload // Load the current total supply.
+ 0x01 add // Add one to the total supply.
+ [TOTAL_SUPPLY] sstore // Store the updated total supply back.
Updates
Lead Judging Commences
inallhonesty almost 2 years ago
Submission Judgement Published Assigned finding tags:
Failure to increment total supply on mint
Failure to properly load the totalSupply in Huff
Rewards breakdown
nSLOC
460This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.