Trick or Treat

First Flight #27

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

User Can Reserve NFT Without Full Payment if trickOrTreat is Called with Insufficient ETH

davidjohn241018

Summary

In the SpookySwap contract, the trickOrTreat function enables users to purchase NFTs with variable pricing scenarios based on a randomized multiplier (normal price, half price, or double price). However, in the case of the double price scenario, if the user submits an insufficient payment, the contract mints the NFT into a “pending” state without reverting. This allows the user to potentially acquire an NFT without completing the full payment.

Vulnerability Details

When costMultiplierNumerator is set to 2 (double price scenario) in the trickOrTreat function, the contract verifies whether the user has sent enough ETH. If the payment is insufficient, the contract mints the NFT to the contract’s address and logs it as “pending” until the user calls resolveTrick to complete the payment. However, there is currently no mechanism in place to enforce the completion of this payment, meaning users can potentially reserve NFTs without fully paying for them.

This vulnerability can lead to several issues:

Loss of revenue for the contract owner due to unpaid or partially paid NFTs.
NFTs being locked in an unpaid state, creating inventory inefficiency.
Potential storage bloat from accumulated unpaid NFTs, which may degrade contract performance and lead to increased gas costs.

Steps to Reproduce:

The owner adds a treat to the contract with a specific cost (e.g., 100 wei).

A user calls the trickOrTreat function and receives a double price scenario.
The user sends less than the required doubled cost.
Instead of reverting, the contract mints the NFT to the contract’s address, assuming the user will call resolveTrick to complete the payment.
The user refrains from calling resolveTrick, leaving the NFT minted but unpaid, and no mechanism exists to reclaim or delete this “locked” NFT.

Impact

This vulnerability can lead to loss of revenue for the contract owner as users can “reserve” NFTs without completing payment. If exploited repeatedly, it could deplete the contract's inventory and cause storage bloat, leading to inefficiency in managing the NFTs within the contract.

Tools Used

Tests

Mitigations

Modify the trickOrTreat function to revert if the user does not provide the required payment, ensuring NFTs are only minted upon full payment.

solidity

if (msg.value < requiredCost) {

revert("Insufficient ETH sent for treat");

}

Add an event to log pending mints that require completion through resolveTrick, helping track incomplete payments.

These changes will help secure revenue for the contract owner and prevent NFTs from being locked in an unpaid state.

Updates

Appeal created

bube Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[invalid] Unlimited pending NFTs

The protocol can work correctly with more than 20000 tokens in it. It is informational.

Rewards breakdown

nSLOC

109

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.