Submission Details
Severity:
```HorseStore.sol::mintHorse()``` called by a smart contract reverts
Summary
As described in the documentation (ref. README.md file) the mintHorse() function allows anyone to mint their own horse NFT. But in it the caller of the HorseStore.sol::mintHorse() is a smart contract the mint fails. The HorseStore.sol::mintHorse() isn't able to receive the NFT because is missing the onERC721Received() function.
Vulnerability Details
function mintHorse() external {
@> _safeMint(msg.sender, totalSupply());
}
Impact
//A smart contract mint function call reverts
function testMintingHorseOwnerIsContract() public {
uint256 horseId = horseStore.totalSupply();
console2.log("horseId: %s", horseId);
//For test purpose we assume that the caller is a contract and we use the horseStore
vm.prank(address(horseStore));
horseStore.mintHorse();
assertEq(horseStore.ownerOf(horseId), address(horseStore));
}
Failing tests:
Encountered 1 failing test in test/HorseStoreSolidity.t.sol:HorseStoreSolidity
[FAIL. Reason: ERC721InvalidReceiver(0x5615dEB798BB3E4dFa0139dFa1b3D433Cc23b72f)] testMintingHorseOwnerIsContract() (gas: 92604)
If the caller of the mintHorse() function is a smart contract (in our test we use directly the horseStore contract, the mint fails.
Tools Used
Manual review
Recommendations
Add the onERC721Received() function in the HorseStore.sol contract.
+ function onERC721Received(address, address, uint256, bytes calldata) external pure returns (bytes4) {
+ return this.onERC721Received.selector;
+ }
Rewards breakdown
nSLOC
460This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.