Use of `_mint` Instead of `_safeMint` for NFT Minting, causing loss of funds and NFT for users which cannot receive ERC721's
summary
The protocol mints the NFT's via _mint instead of safeMint function. The _mint function does not check weather or not the recipient can actually receive ERC721 token.
vulnerability detail
In the mintTreat function, the contract uses _mint to create and assign ownership of NFTs without checking the compatibility of the recipient. This lack of validation could result in NFTs being sent to contracts that are not ERC721-compatible, causing them to be locked and inaccessible.
-
Found in src/TrickOrTreat.sol Line: 81
_mint(address(this), tokenId); -
Found in src/TrickOrTreat.sol Line: 110
_mint(recipient, tokenId);
impact
Using _mint instead of _safeMint could impact the user's experience, if users mistakenly use an incompatible contract, then they will not have access to the NFT, leading to user dissatisfaction, or users with a limited knowledge about nft's might event think this project is a scam.
tools used
slither & aderyn
Recommendations
Use _safeMint Instead of _mint:
Appeal created
Use of `_mint` instead of `safeMint`
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.