Trick or Treat

First Flight #27
Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: low
Invalid

Attacker could enter the `trickOrTreat` function with no value, forcing him to lose and falsly incrementing the tokenId

summary

An attacker could enter the trickOrTreat function for the rarest NFT with 0 wei. This would alwas revert unless he loses and has to pay double, then the transaction would go true and the NFT would be minted and the attacker comes in the pending list. Falsly increasing the tokenId and changing the perceived rarity of the NFT.

vulnerability details

tickOrTreat does not require any msg.value sent when losing the game. This is also why only the transaction would go true when he loses the game.

if (costMultiplierNumerator == 2 && costMultiplierDenominator == 1) {
// Double price case (trick)
if (msg.value >= requiredCost) {
// User sent enough ETH
mintTreat(msg.sender, treat);
@> } else {
// User didn't send enough ETH
// Mint NFT to contract and store pending purchase
uint256 tokenId = nextTokenId;
_mint(address(this), tokenId);
_setTokenURI(tokenId, treat.metadataURI);
nextTokenId += 1;
pendingNFTs[tokenId] = msg.sender;
pendingNFTsAmountPaid[tokenId] = msg.value;
tokenIdToTreatName[tokenId] = _treatName;
// do the pending nfts also come in the swapped event?
emit Swapped(msg.sender, _treatName, tokenId);
// User needs to call fellForTrick() to finish the transaction
}

impact

  1. Misleading Perception of Supply:
    Users and potential buyers may observe a high nextTokenId and assume that many more NFTs have been minted than actually exist in circulation. This inflated perception can reduce the perceived exclusivity or rarity of each token, which is a critical factor in the valuation of NFTs. As perceived scarcity decreases, so might the perceived value of each NFT, potentially affecting market prices.

  2. Negative Impact on Market Demand:
    In the NFT market, buyers are often motivated by the rarity and uniqueness of assets. A perceived over-supply, even if inaccurate, can deter collectors and investors from engaging with the project. This could result in lower demand for new and existing tokens, reducing sales and transaction activity on the platform.

  3. Reputation Risks:
    NFT platforms and collections often rely on transparent and reliable metrics to build trust with users. If the inflated nextTokenId causes discrepancies between the reported and actual supply, it could harm the contract’s reputation. Users may lose trust in the platform’s ability to manage scarcity and fairness, leading to negative word-of-mouth and reluctance to engage with the platform.

  4. Platform and Marketplace Misreporting:
    Many marketplaces and analytics platforms use the nextTokenId to estimate the total supply of a collection. The inflated token count could lead to these platforms reporting a larger collection size than what truly exists, further exacerbating the perceived over-supply issue. This can mislead buyers across multiple platforms, compounding the negative effects on demand and value.

recommendations

  1. implement a require statement at the beginning of the trickOrTreat function (recommended)

function trickOrTreat(string memory _treatName) public payable nonReentrant {
Treat memory treat = treatList[_treatName];
require(treat.cost > 0, "Treat cost not set.");
+ require(msg.value>= treat.cost, "you have to send more eth");
uint256 costMultiplierNumerator = 1;
uint256 costMultiplierDenominator = 1;
  1. add an if condition later in the trickOrTreat function

if (costMultiplierNumerator == 2 && costMultiplierDenominator == 1) {
// Double price case (trick)
if (msg.value >= requiredCost) {
// User sent enough ETH
mintTreat(msg.sender, treat);
- }else {
+ } else if (msg.value >= requiredCost / 2) {
// User didn't send enough ETH
// Mint NFT to contract and store pending purchase
uint256 tokenId = nextTokenId;
_mint(address(this), tokenId);
_setTokenURI(tokenId, treat.metadataURI);
nextTokenId += 1;
Updates

Appeal created

bube Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[invalid] Unlimited pending NFTs

The protocol can work correctly with more than 20000 tokens in it. It is informational.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.