Trick or Treat

Summary

The trickOrTreat function allows users to continuously call the function with varying treat names while sending a msg.value equal to half of the treat's cost. This can lead to unintended consequences, as users may exploit scenarios where they can receive NFTs at a discounted price without sending adequate ETH.

Vulnerability Details

Users can invoke the trickOrTreat function repeatedly, sending msg.value as half of the treat.cost.
In cases of normal price(both numerator and denominator is 1), the function will revert due to insufficient funds: https://github.com/Cyfrin/2024-10-trick-or-treat/blob/main/src/TrickOrTreat.sol#L95

However, if the random number is 1, the user benefits from a half-price treat, successfully minting the NFT while paying less than the required amount.

Proof of Concept:

Consider the following scenario:

• Treat cost: 0.1 ETH (100000000000000000 wei)

• User calls trickOrTreat with msg.value = 0.05 ETH (50000000000000000 wei).

• If random number = 1:

• requiredCost = 0.05 ETH (the user pays half and receives the NFT).

• This situation allows the user to exploit the half-price condition repeatedly by submitting calls with insufficient msg.value.

Impact

Users acquiring NFTs at a fraction of the intended price, which undermines the economic model of the contract.

Tools Used

Manual Review

Recommendations

Require Minimum Payment by adding a check to ensure that msg.value is at least equal to the treat's cost.