Submission Details
Severity:
`mintRapper` can mint unlimited tokens
Summary
mintRapper allows rapper to mint unlimited tokens
Impact
The discrepancy between allowing unlimited NFT minting by the owner and the documented behavior of users being able to mint only one NFT introduces a high impact, potentially leading to centralization and disruption of intended distribution.
PoC
function testMintUnlimitedRappers() public {
address testUser = makeAddr("Bob");
vm.prank(testUser);
oneShot.mintRapper();
console.log(oneShot.getNextTokenId());
vm.prank(testUser);
oneShot.mintRapper();
console.log(oneShot.getNextTokenId());
vm.prank(testUser);
oneShot.mintRapper();
console.log(oneShot.getNextTokenId());
}
Result:
[PASS] testMintUnlimitedRappers() (gas: 212714)
Logs:
1
2
3
Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 2.64ms
Ran 1 test suites: 1 tests passed, 0 failed, 0 skipped (1 total tests)
Recommendations
Add a check which doesn't allow rapper to mint more than one NFT.
For example:
// Define a mapping to track whether an address has already minted a rapper
mapping(address => bool) public hasMintedRapper;
function mintRapper() public {
// Check if the caller has already minted a rapper
require(!hasMintedRapper[msg.sender], "You can only mint one rapper.");
uint256 tokenId = _nextTokenId++;
_safeMint(msg.sender, tokenId);
// Initialize metadata for the minted token
rapperStats[tokenId] = RapperStats({
weakKnees: true,
heavyArms: true,
spaghettiSweater: true,
calmAndReady: false,
battlesWon: 0
});
// Mark the caller as having minted a rapper
hasMintedRapper[msg.sender] = true;
}
Rewards breakdown
nSLOC
201This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.