Submission Details
Severity:
`HorseStore.huff::MINT_HORSE` calls the `_MINT` function with the `totalSupply` storage pointer instead of the actual value
Description
MINT_HORSE() calls the _MINT() function with the totalSupply storage pointer in parameter.
[TOTAL_SUPPLY] // [TOTAL_SUPPLY]
caller // [msg.sender, TOTAL_SUPPLY]
_MINT() // []
However, the _MINT() function assumes that the same paramter is the value of of the total supply (which corresponds to the new token ID).
// Input stack: // [to, tokenId]
Impact
New horse NFTs will always be minted with the token ID value 0 , since TOTAL_SUPPLY is defined in the first storage slot. Therefore, it won't be possible to mint more than one horse NFT.
Proof of concept
Cannot mint more than one horse NFT
function testUserCanMintMultipleTokens() public {
uint256 horse1Id = horseStore.totalSupply();
uint256 horse2Id = horse1Id + 1;
vm.prank(user);
horseStore.mintHorse();
vm.prank(user);
horseStore.mintHorse();
assertEq(horseStore.ownerOf(horse1Id), user);
assertEq(horseStore.ownerOf(horse2Id), user);
}
Recommended mitigation
Call _MINT with totalSupply value instead of storage pointer
#define macro MINT_HORSE() = takes (0) returns (0) {
[TOTAL_SUPPLY] // [TOTAL_SUPPLY]
+ sload // [totalSupply]
caller // [msg.sender, totalSupply]
_MINT() // []
Updates
Lead Judging Commences
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
Failure to properly load the totalSupply in Huff
Rewards breakdown
nSLOC
460This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.