First Flight #17: Dussehra
First Flight #17
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Lack of Access Control in `RamNFT::mintRamNFT` Function

AuditorNate

Summary

The mintRamNFT function in the RamNFT contract allows any user to mint new NFTs without restrictions. This lack of access control can lead to unauthorized minting, which could potentially be exploited to overwhelm the contract's resources or disrupt its intended functionality.

Vulnerability Details

The mintRamNFT function is implemented as follows:

function mintRamNFT(address to) public {
uint256 newTokenId = tokenCounter++;
_safeMint(to, newTokenId);
}

Access Control: The function does not check whether the caller is authorized to mint NFTs, allowing any address to call this function and mint new tokens.
Security Risk: Without proper checks, malicious actors could mint NFTs excessively.

Impact

Unauthorized Minting: Any user can mint NFTs, which can lead to an overflow of tokens and potential system abuse.

Gas Abuse: The contract could be overwhelmed with minting requests, leading to high gas costs and possible degradation of performance.

Tools Used

Manual code analysis

Recommendations

To mitigate the risk, implement access control checks to ensure that only authorized entities can mint NFTs. This can be done by verifying that the caller has paid the entry fee or has specific permissions set by the contract owner.

function mintRamNFT(address to) public {
require(ChoosingRam(choosingRamContract).peopleLikeRam(to), "Caller has not paid the entrance fee");
uint256 newTokenId = tokenCounter++;
_safeMint(to, newTokenId);
Updates

Lead Judging Commences

bube Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

mintRamNFT is public

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.