First Flight #7: Horse Store
First Flight #7
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

mintHorse() in the Solidity implementation uses _safeMint(), but in Huff implementation it just mint it without calling receiver even if receiver is a contract

kaiziron

Summary

mintHorse() in the Solidity implementation uses _safeMint(), but in Huff implementation it just mint it without calling receiver even if receiver is a contract

Vulnerability Details

The mintHorse() function in the Solidity implementation uses _safeMint() calls the receiver if the receiver is a contract to ensure it supports ERC721. But in the Huff implementation this check is absent

Impact

With the Huff implementation some horses NFT might be minted to contracts that don't support ERC721 and stuck in those contracts, but in the Solidity implementation it should revert

PoC

function testSafeMint() public {
vm.expectRevert();
horseStore.mintHorse();
}
Running 1 test for test/HorseStoreSolidity.t.sol:HorseStoreSolidity
[PASS] testSafeMint() (gas: 88270)
Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 7.73ms
Running 1 test for test/HorseStoreHuff.t.sol:HorseStoreHuff
[FAIL. Reason: call did not revert as expected] testSafeMint() (gas: 56894)
Test result: FAILED. 0 passed; 1 failed; 0 skipped; finished in 764.90ms

Tools Used

Manual review

Recommendations

Perform the onERC721Received() external call to receiver if receiver is a contract in the Huff implementation just like what _safeMint() does in Solidity

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Components of ERC721 not properly (or at all) implemented in HUFF

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.