Trick or Treat

First Flight #27
Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: high
Invalid

NFT Supply

Summary

The contract currently does not impose any limit on how many NFTs can be minted. This creates a risk where an infinite number of NFTs could be minted, leading to devaluation and loss of trust in the project. A cap or limit on the total number of NFTs should be introduced to prevent potential abuse or oversupply.

Vulnerability Details

The mintTreat function allows minting NFTs without any constraints on the total number of tokens that can be created. Without a hard cap or mechanism to control the total supply, the contract can be exploited to mint an infinite number of NFTs. This could be particularly problematic in cases where NFT rarity and scarcity are core to the value proposition of the project.

function mintTreat(address recipient, Treat memory treat) internal {
uint256 tokenId = nextTokenId;
_mint(recipient, tokenId);
_setTokenURI(tokenId, treat.metadataURI);
nextTokenId += 1;
emit Swapped(recipient, treat.name, tokenId);
}

Impact

Infinite NFT Minting: Without a cap, an infinite number of NFTs can be minted, which can lead to:

  • Devaluation of NFTs: The scarcity of NFTs is typically a core factor in their value. If NFTs can be minted infinitely, their value will decrease drastically.

  • Financial Loss: If the NFTs are tied to monetary value, an oversupply can lead to loss of confidence, reducing demand and causing financial loss to holders and the project owner.

  • Reputation Damage: A project that mints too many NFTs, intentionally or unintentionally, can lose credibility, especially if the NFTs were expected to be scarce or limited.

Tools Used

Manual Review

Recommendations

Introduce a Minting Cap: Implement a maximum supply for NFTs to ensure scarcity and prevent oversupply. To track this, consider introducing a totalSupply variable. You can increment it totalSupply++ appropriately in the minting function, ensuring that minting cannot exceed the defined limit

uint256 public totalSupply = 1000; // Limit the total supply
function mintTreat(address recipient, Treat memory treat) internal onlyOwner {
require(nextTokenId <= totalSupply, "Minting would exceed the max supply");
uint256 tokenId = nextTokenId;
_mint(recipient, tokenId);
_setTokenURI(tokenId, treat.metadataURI);
nextTokenId += 1;
totalSupply++;
emit Swapped(recipient, treat.name, tokenId);
}

Track and Restrict Minting: Ensure that every minting action checks whether the total supply has reached or exceeded the maximum allowed. If the limit is reached, minting should fail.

Updates

Appeal created

bube Lead Judge 8 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.