Trick or Treat

First Flight #27
Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: high
Invalid

Access control in the mintTreat function

Summary

The mintTreat function in the contract allows NFTs to be minted, but it lacks proper access control. Currently, the function can be called indirectly without enforcing restrictions, which can allow unauthorized users to mint NFTs. This can result in infinite minting, devaluation of NFTs, and significant financial losses. Proper access control, such as onlyOwner, should be implemented to prevent unauthorized minting.

Vulnerability Details

The mintTreat function is marked as internal, but any public or external function that calls mintTreat could allow unauthorized users to mint NFTs if proper access control is not enforced. The current implementation does not restrict access to who can trigger the minting process, meaning it could potentially be exploited to mint unlimited NFTs.

function mintTreat(address recipient, Treat memory treat) internal {
uint256 tokenId = nextTokenId;
_mint(recipient, tokenId);
_setTokenURI(tokenId, treat.metadataURI);
nextTokenId += 1;
emit Swapped(recipient, treat.name, tokenId);
}

Without the onlyOwner modifier or other access control, any public or external function that can call mintTreat could allow anyone to mint NFTs,

Impact

1: Unlimited NFT Minting: Unauthorized users could exploit this vulnerability to mint an infinite number of NFTs, significantly devaluing the entire collection.

2: Financial Loss: If NFTs hold any monetary value or are tied to rare assets, unlimited minting could result in severe financial losses for users and the contract owner.

Tools Used

Manual Review

Recommendations

Enforce Access Control: Apply the onlyOwner modifier or another access control mechanism to the mintTreat function to ensure only the contract owner (or other privileged roles) can mint NFTs.

function mintTreat(address recipient, Treat memory treat) internal onlyOwner {
uint256 tokenId = nextTokenId;
_mint(recipient, tokenId);
_setTokenURI(tokenId, treat.metadataURI);
nextTokenId += 1;
emit Swapped(recipient, treat.name, tokenId);
}
Updates

Appeal created

bube Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.