Trick or Treat

Summary

IMPACT : HIGH

Likelihood : HIGH/MEDIUM

An attacker could create a smart contract with a receivefunction that only accepts specific values. For instance, if the treat costs 1 ether , the attacker might call trickOrTreat with 1.5 ether , configuring their contract to only allow a refund of 1 ether. By doing this, they could repeatedly revert any refund that doesn’t match this condition, allowing them to revert the trickOrTreat game until they win.

Vulnerability Details

an attacker could have a receive function that looks like this (if we assume the price of the NFT would be 1 ether and the attacker sends 1.5 ether).

Impact

If an attacker can consistently acquire NFTs at 50% of the intended price, they could repeatedly sell them on the market at, let's say for 90% of the original price. This undercuts the market value, creating downward pressure on the NFT's price as the attacker continues the exploit. As a result, the market value would gradually drop below the protocol’s original MintPrice, ultimately forcing the protocol to reduce its minting price to compete with the secondary market. In the worst case, this cycle could drive the price toward zero, undermining the protocol’s revenue and destabilizing the NFT’s perceived value and desirability.

Tools Used

Manual Review

Recommendations

you could spilt the TrickOrTreat function into 2 separate functions, atrickOrTreatand aclaimRefund function. And saving the amount that has to be refunded in a new mapping refundsToBePaid for example

implement this in the trickOrTreat function:

and adding a separate claimRefund function

Making the users pull out their funds rather than pushing it to to them.