Trick or Treat

01. Relevant GitHub Links

• https://github.com/Cyfrin/2024-10-trick-or-treat/blob/9cb3955058cad9dd28a24eb5162a96d759bfa842/src/TrickOrTreat.sol#L80C1-L83C1

• https://github.com/Cyfrin/2024-10-trick-or-treat/blob/9cb3955058cad9dd28a24eb5162a96d759bfa842/src/TrickOrTreat.sol#L108C1-L116C1

02. Summary

The contract uses the _mint() function in multiple locations to mint NFTs. However, this can result in NFTs being sent to addresses that do not support ERC721 tokens, causing them to become irretrievable. To prevent this, _safeMint() should be used instead to ensure that the recipient address can safely receive the NFT.

03. Vulnerability Details

The contract uses the _mint() function in the following locations to mint NFTs:

The use of _mint() directly sends the NFT to the specified address without verifying whether the recipient can receive ERC721 tokens. If the recipient is a contract that does not implement the IERC721Receiver interface, the NFT will be locked in that contract and become irretrievable. This could lead to significant asset loss for users.

Using _safeMint() instead ensures that the recipient address is either an externally owned account (EOA) or a contract that properly implements the ERC721 receiver interface, preventing this kind of issue.

03. Impact

• Permanent Loss of NFTs: If an NFT is minted to a contract that does not support ERC721 tokens, it could be permanently lost or locked, with no way to retrieve it.

• User Frustration and Financial Loss: Users may lose access to valuable NFTs due to improper handling of the minting process.

• Potential Exploitation: An attacker could deliberately target contracts that cannot handle ERC721 tokens to cause NFT losses.

04. Proof of Concept

05. Tools Used

Manual Code Review and Foundry

06. Recommended Mitigation

1. Use _safeMint() Instead of _mint(): Replace all instances of _mint() with _safeMint() to ensure that the recipient is capable of receiving ERC721 tokens.