Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: high
Valid

No way for the user to mint NFT for the `MondrianWallet`

Summary

The MondrianWallet protocol mentions to mint a NFT to the one who creates account abstraction wallet but there is no way to mint NFT to the user.

But along with that, the MondrianWallet is actually the wallet for the user and has the ERC721 inherited and it is kind of irrelevant because NFT handling stuff should be handled via a MondrianWallet Deployer and the Deployer should allow the user to deploy their MondrianWallet and mint NFT.

Vulnerability Details

  • The vulnerability is present in the design of MondrianWallet, there is no way for the users to get their NFT.

  • The NFT is associated with the MondrianWallet and there is no way for one to mint.

  • As the wallets are associated with their own owners therefore it is irrelevant to associate ERC721 inheritance with the MondrianWallet.

  • Instead there should be a deployer contract which should be a ERC721 contract and should allow users to create their MondrianWallet and mint their NFT.

Impact

Users can't have their NFT.

Tools Used

Manual Review

Recommendations

Create a Deployer contract that should inherit ERC721 contract and should allow the user to deploy their MondrianWallet along with the NFT.

Also, the ERC721 associated with MondrianWallet is insignificant as it is the wallet and not a source to mint NFT, therefore consider removing the ERC721 stuffs from MondrianWallet.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

The Wallet doesn't end up owning any nft

shikhar229169 Submitter
about 1 year ago
inallhonesty Lead Judge
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Extremely Wrong Implementation of ERC721

The Wallet doesn't end up owning any nft

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.