Summary

The Dussehra contract is the only one which is expected to mint NFT to the people participating in the event by charging the event fee, therefore it is expected for the mintRamNFT function to have necessary access control to only allow the Dussehra to mint NFT to the participating people.

But in actual case there is no access control on the mintRamNFT function which allows people to participate in the events my minting NFT without paying entry fees.

Vulnerability Details

The vulnerability is present in the RamNFT::mintRamNFT where it allows anyone to mint NFT. The NFT is expected to be mint to the people who participate in the event via the Dussehra::enterPeopleWhoLikeRam function which charges some fees and mints that NFT.

Due to no access control on mintRamNFT function anyone can mint the NFT and can participate in the event without paying the entry fees.

Impact

• Anyone can participate in the event without paying the entry fees by minting NFT directly from mintRamNFT

• A single address can also mint multiple NFTs

Tools Used

Manual Review

Recommendations

Add the necessary access control RamNFT::mintRamNFT function to only allow the Dussehra contract to access it.