First Flight #7: Horse Store

First Flight #7

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

In Huff, only 1 horse token can be minted

bigBagBoogy

Summary

In Huff, only 1 horse token can be minted due to horseId not updating.

Vulnerability Details

The Huff code is not correctly updating the TOTAL_SUPPLY and horseId after a horse token is minted, leading to the ALREADY_MINTED error when trying to mint the second horse. When minting, the horseId param may have been intended to be derived from the TOTAL_SUPPLY. Since TOTAL_SUPPLY does not update horseId, the mint function reverts because the Huff code checks for horseId- uniquiness.

Impact

This completely breaks the functionality of the protocol. Multiple users should be able to mint horse tokens.

Proof of Concept: please place this code at the bottom of `Base_Test.t.sol` and run

forge test --mt testTwoUsersCanMintAHorse -vvvvv. please also add consol2 to the imports like so: import {Test, console2, StdInvariant} from "forge-std/Test.sol";

function testTwoUsersCanMintAHorse() public {

console2.log("totalSupply", horseStore.totalSupply());

vm.prank(alice); // user does next line

horseStore.mintHorse(); // this is the first horse an has tokenId 0

console2.log("totalSupply", horseStore.totalSupply());

vm.prank(bob);

horseStore.mintHorse(); // this should be tokenId 1

horseStore.balanceOf(alice);

horseStore.balanceOf(bob);

console2.log("who owns horse 0?", horseStore.ownerOf(0));

console2.log("who owns horse 1?", horseStore.ownerOf(1));

}

Recommendations

TOTAL_SUPPLY not updating can be fixed by adding the following code:

// Increment totalSupply

[TOTAL_SUPPLY] sload // [currentTotalSupply]

0x01 add // [newTotalSupply]

[TOTAL_SUPPLY] sstore // []

This code should be added after the transfer event has been emitted. in the _MINT function.

While this does fix `TOTAL_SUPPLY` not updating, it still not simultaneously updates `horseId`

After extensive research I regrettably was not able to write a functional model where the updated TOTAL_SUPPLY transfers it's value to horseId.

therefore:
I'm looking forward to a deepdive for this codebase in part 2 of the sc security audit course!

Updates

Lead Judging Commences

inallhonesty Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

Failure to increment total supply on mint

Failure to properly load the totalSupply in Huff

Rewards breakdown

nSLOC

460

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.