The mintTreat
function in the contract allows NFTs to be minted, but it lacks proper access control. Currently, the function can be called indirectly without enforcing restrictions, which can allow unauthorized users to mint NFTs. This can result in infinite minting, devaluation of NFTs, and significant financial losses. Proper access control, such as onlyOwner
, should be implemented to prevent unauthorized minting.
The mintTreat
function is marked as internal
, but any public or external function that calls mintTreat
could allow unauthorized users to mint NFTs if proper access control is not enforced. The current implementation does not restrict access to who can trigger the minting process, meaning it could potentially be exploited to mint unlimited NFTs.
Without the onlyOwner
modifier or other access control, any public or external function that can call mintTreat
could allow anyone to mint NFTs,
1: Unlimited NFT Minting: Unauthorized users could exploit this vulnerability to mint an infinite number of NFTs, significantly devaluing the entire collection.
2: Financial Loss: If NFTs hold any monetary value or are tied to rare assets, unlimited minting could result in severe financial losses for users and the contract owner.
Manual Review
Enforce Access Control: Apply the onlyOwner
modifier or another access control mechanism to the mintTreat
function to ensure only the contract owner (or other privileged roles) can mint NFTs.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.