The exploitable logical vulnerability in the provided Solidity contract code can be identified in the part of the trickOrTreat
function where it deals with the "double price trick" scenario. Specifically, the code allows for non-atomic NFT minting based on partial payments which can be exploited to allocate NFTs temporarily even when the full required ETH is not provided upfront.
Here’s how an exploiter can benefit from the identified vulnerability:
Invoke the trickOrTreat
Function with Just Enough ETH for a Normal or Half-Price Transaction: The user (or exploiter) calls the trickOrTreat
function with enough ETH to cover the cost of the treat under normal circumstances, or even at half price if they aim to save on expenses and gamble for half-price odds.
Resulting Scenario with "Double Price Trick": If the pseudo-random outcome results in the "double price trick" (random == 2), where the cost multiplier is set to 2 (costMultiplierNumerator = 2
and costMultiplierDenominator = 1
), then the required cost doubles.
Check and Condition Handling by Contract: Since the provided ETH initially was set for a normal price, it will not cover the newly doubled price. The contract will mint the NFT reserved to the contract itself rather than to the user (_mint(address(this), tokenId);
), marking it as pending (via pendingNFTs
and pendingNFTsAmountPaid
). The contract records the partial payment that was below the required doubled amount.
Exploiter Benefit: The exploiter has temporarily engaged the NFT even without completing its payment in full. This action could potentially block other users from obtaining this treat or leverage the condition by refusing to complete the payment, causing a form of denial of service or reservation manipulation.
Potential Exploit: Depending on the nature of the NFT and its market behavior, the exploiter might:
Leverage information (knowing the pending status of a specific NFT and its partial payment) to manipulate secondary market behavior or predictions.
Utilize the blocking of the NFT to prevent interest or involvement from other users if there's limited stock, therefore, controlling the offer.
This vulnerability allows an exploiter to temporarily control or block specific NFTs by initiating the trickOrTreat
function with an amount tailored to suffice for regular or half-priced scenarios hoping for a "double price trick" condition, then utilizing the flawed logical handling of such outcomes.
This can be fixed by enforcing full upfront payment before the _mint
function is executed (for the double price case), or simply by rejecting partial payments where the submitted ETH does not meet the newly mandated double cost, rather than allowing any NFT minting and reservation at all.
The protocol can work correctly with more than 20000 tokens in it. It is informational.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.