First Flight #10: One Shot

First Flight #10

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

`_nextTokenId` of `OneShot::mintRapper` is not initialized and can be called by anyone making it prone to a DoS attack

DuncanDuMond

Summary

OneShot::mintRapper can be called by anyone incrementing the _nextTokenId of the contract. This function is not restricted to any particular address, and it will always succeed. _nextTokenId is also used to assign token IDs during minting but is not initialized in the constructor.

Vulnerability Details

function mintRapper() public {

uint256 tokenId = _nextTokenId++;

_safeMint(msg.sender, tokenId);

rapperStats[tokenId] =

RapperStats({weakKnees: true, heavyArms: true, spaghettiSweater: true, calmAndReady: false, battlesWon: 0});

}

Impact

Unintentional behavior and potential DoS attack if the contract is meant to start with a non-zero token ID. This is also could lead to a potential Denial of Service (DoS) for abuse if the contract is not intended to be used by anyone.

Tools Used

Manual review with assistance from Audit Wizard

Recommendations

Initialize _nextTokenId in the constructor. Restrict the OneShot::mintRapper to a specific address or role.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

nSLOC

201

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.