[EVMN] NFTs Held Hostage
Summary
A number of NFTs can be held hostage by a user who has no genuine intent to purchase.
Vulnerability Details
The code on lines 85-87 indicates that a newly generated NFT will be temporarily held by the contract if the user (the caller) gets a trick where the NFT price doubles (i.e., costMultiplierNumerator == 2) and the amount of native asset paid by the user is less than the doubled price. It is expected that the user later calls function resolveTrick() to pay the remaining amount and the NFT will be released to the user.
This logic can be weaponised by a malicious user. Consider the following steps:
The user calls
trickOrTreat()andguessesthe random value, expecting atrick. The user sends an amount ofmsg.valuethat is much less than therequiredCost.The user repeats step 1 as many as possible (e.g.,
xtimes).The user never calls
resolveTrick().
As the result, there are x NFTs stuck on the contract, that is held hostage by the user, because the user is the only party that can release the NFTs from the contract.
Impact
NFTs potentially gets stuck on the contract.
Tools Used
Manual review.
Recommendations
Consider adding a deadline which allows the owner to release the NFTs after the deadline expires.
Appeal created
[invalid] Unlimited pending NFTs
The protocol can work correctly with more than 20000 tokens in it. It is informational.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.