Trick or Treat
First Flight #27
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

The `TrickOrTreat::mintTreat` function increment the `nextTokenId` after the `_mint` and `_setTokenURI` calls

deeney

Summary

The nextTokenId is incremented only after the _mint and _setTokenURI calls. If any of these calls fail or revert, the token ID will not be incremented, which can lead to duplicate token ID usage if the transaction is reattempted.

function mintTreat(address recipient, Treat memory treat) internal {
uint256 tokenId = nextTokenId;
_mint(recipient, tokenId);
_setTokenURI(tokenId, treat.metadataURI);
nextTokenId += 1;
emit Swapped(recipient, treat.name, tokenId);
}

Vulnerability Details

Impact

If _mint or _setTokenURI fails for any reason (like gas limitations on the recipient or a failure in the metadata URI assignment), the same tokenId could potentially be reused, causing unexpected behavior or token duplication.

Tools Used

Manual Review

Recommendations

The increment nextTokenId should be done immediately after setting the tokenIdbefore _mint and _setTokenURI calls. This ensures that each minting operation always references a unique token ID, regardless of any issues in subsequent function calls.

function mintTreat(address recipient, Treat memory treat) internal {
uint256 tokenId = nextTokenId;
+ nextTokenId += 1;
_mint(recipient, tokenId);
_setTokenURI(tokenId, treat.metadataURI);
- nextTokenId += 1;
emit Swapped(recipient, treat.name, tokenId);
}
Updates

Appeal created

bube Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.