Trick or Treat

First Flight #27

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Users that have to pay 2x the cost of treat might flood the contract with NFTs

cryptozaki

Summary

If a user has to pay 2x the cost of treat, the NFT is minted to the contract and if the user wants the NFT he has to call resolveTrickfunction. This can lead users paying only gas price for the NFT and never calling resolveTrickfunction, therefore flooding the contract with NFTs which will be forever there.

Vulnerability Details

The problem lies in these lines of the function trickOrTreat:

} else {

// User didn't send enough ETH

// Mint NFT to contract and store pending purchase

// @audit can we reuse the function mintTreat(address(this), treat); again here ?

// or better to mint the treat after the user pays full price

uint256 tokenId = nextTokenId;

_mint(address(this), tokenId);

_setTokenURI(tokenId, treat.metadataURI);

nextTokenId += 1;

// @audit - potential DoS here. If the user mints a lot of nfts but never invoke the function resolveTrick(uint256)

// it would cost more gas for other users to mint a nft

pendingNFTs[tokenId] = msg.sender;

pendingNFTsAmountPaid[tokenId] = msg.value;

tokenIdToTreatName[tokenId] = _treatName;

emit Swapped(msg.sender, _treatName, tokenId);

}

As we can see the NFT is minted to the contract and the user paid partial or no amout of the cost.

Impact

Flooding the contract with NFTs

Tools Used

foundry

Recommendations

Mint the NFT in the resolveTrickfunction instead.

Remove the following lines from trickOrTreatfunction:

_mint(address(this), tokenId);

_setTokenURI(tokenId, treat.metadataURI);

nextTokenId += 1;

And modify function resolveTrickto call mintTreataccordingly.

Updates

Appeal created

bube Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[invalid] Unlimited pending NFTs

The protocol can work correctly with more than 20000 tokens in it. It is informational.

Rewards breakdown

nSLOC

109

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.