First Flight #17: Dussehra

First Flight #17

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Anyone can call `RamNFT::mintRamNFT()`, violating the protocol requirement

Mahith

Summary

As per the requirement in Readme, mintRamNFT() function must be called only by Dussehra contract to mint Ram NFTs to the users, but there isn't anything that's restricting the function being called by anyone which is not an expected behavior.

Vulnerability Details

Anyone can mint any number of NFT's directly to anyone from RamNFT::mintRamNFT() without paying any entranceFee.

Paste the below code to Dussehra.t.sol and run the command: forge test --mt test__AnyoneCanMintDirectly

code

function test__AnyoneCanMintDirectly() public {

vm.startPrank(player1);

ramNFT.mintRamNFT(player1); // mint NFT directly without paying 1 ether via `Dussehra.sol`

vm.stopPrank();

assertEq(ramNFT.ownerOf(0), player1);

assertEq(ramNFT.getCharacteristics(0).ram, player1);

vm.startPrank(player1);

ramNFT.mintRamNFT(player2); // can mint n number of NFT's directly without paying entranceFee via `Dussehra.sol` to anyone

vm.stopPrank();

assertEq(ramNFT.ownerOf(1), player2);

assertEq(ramNFT.getCharacteristics(1).ram, player2);

assertEq(ramNFT.getNextTokenId(), 2);

}

Impact

Anyone can call the function to mint NFT to anyone which is a serious vulnerability of the protocol

Tools Used

Foundry

Recommendations

So, to be able to check if caller is Dussehra contract, we need to create a modifier and apply it on mintRamNFT() function

Make below code changes in RamNFT.sol

code

+ error RamNFT__NotDussehra(); // creating new custom error

+ address immutable i_dussehra // creating a new immutable variable to store address of Dussehra.sol contract address

+ modifier onlyDussehra() { // creating a new modifier to check if caller is Dussehra contract

+ if (msg.sender != i_dussehra) {

+ revert RamNFT__NotDussehra();

+ }

+ _;

+ }

- constructor(uint256 _entranceFee, address _choosingRamContract, address _ramNFT)

+ constructor(uint256 _entranceFee, address _choosingRamContract, address _ramNFT, address _dussehra) {

...

+ i_dussehra = _dussehra

}

- function mintRamNFT(address to) public

+ function mintRamNFT(address to) external onlyDussehra // applying the modifier to execute before function call

Updates

Lead Judging Commences

bube Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

mintRamNFT is public

Rewards breakdown

nSLOC

218

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.