Users can mint as many rapper NFTs as they wish without any cost, making the NFT worthless.
OneShot.mintRapper() has no access control and it does not check if msg.sender already minted a NFT:
User can mint as many rapper NFTs as wish since there is no upper bound on the totalSupply of this NFT.
Each rapper NFT becomes worthless since anyone can mint as many as wish and it is free to mint.
For example, a random user can mint 100 NFTs for free. Add the following test case to OneShotTest.t.sol
:
Run test:
Manual review
Consider adding a mapping to record if msg.sender already minted an NFT:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.