First Flight #12: Kitty Connect
First Flight #12: Kitty Connect
Beginner FriendlyFoundryNFTGameFi
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Shop partners can mint infinite number of cats for themselves

0xeLSeR17

Summary

KittyConnect::mintCatToNewOwner checks that catOwner is not a shop partner, but KittyConnect::safeTransferFrom does not.

Vulnerability Details

Shop partner could create a smart contract whose owner is themselves, so that they will have full control of it. After they can mint any number of cats to these contracts, call approve() from that contract to their own address and after use KittyConnect::safeTransferFrom to get the cat. This can be repeated any number of times.

Impact

The protocol will be breaken if some user is able to get any number of cats for free with no limit.

Tools Used

Manual review
Foundry testing

Recommendations

There must be a check in the KittyConnect::safeTransferFrom which prevents a shop partner from getting cats to their address:

function safeTransferFrom(address currCatOwner, address newOwner, uint256 tokenId, bytes memory data) public override onlyShopPartner {
require(_ownerOf(tokenId) == currCatOwner, "KittyConnect__NotKittyOwner");
+ require(!s_isKittyShop[msg.sender], "Shop partners must not own NFTs");
require(getApproved(tokenId) == newOwner, "KittyConnect__NewOwnerNotApproved");
_updateOwnershipInfo(currCatOwner, newOwner, tokenId);
emit CatTransferredToNewOwner(currCatOwner, newOwner, tokenId);
_safeTransfer(currCatOwner, newOwner, tokenId, data);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Shop partner can own cats via safeTransfer

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.