Violation of the Checks-Effects-Interactions pattern
Summary
The SpookySwap contract is an ERC721 NFT contract that allows users to mint NFTs representing "treats" through couple of functions, including mintTreat. This function is called internally when users purchase treats via the trickOrTreat function or other mechanisms. It handles the minting of the NFT to the recipient and updates the contract's state accordingly.
Vulnerability Details
The mintTreat function violates the Checks-Effects-Interactions (CEI) pattern by making an external call to _mint before updating critical state variables. Specifically, it calls _mint(recipient, tokenId), which can trigger external code execution if the recipient is a contract, before incrementing nextTokenId. This violation can potentially be exploited through reentrancy attacks, allowing a malicious recipient to manipulate the contract's state, mint multiple NFTs, or cause other unintended behaviors.
The mintTreat function is defined as follows:
}
Impact
The violation of the CEI pattern in the mintTreat function can lead to significant security risks:
Unauthorized Minting: An attacker can mint multiple NFTs without authorization, leading to inflation of the NFT supply and potential devaluation.
Financial Losses: Unauthorized minting can result in direct financial losses to the contract owner or users.
Contract Disruption: Reentrancy can disrupt the normal operation of the contract, potentially causing corrupting the contract's state.
Tools Used
Manual review
Recommendations
To mitigate this vulnerability, the contract should adhere to the Checks-Effects-Interactions pattern by updating the state before making any external calls:
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.