GivingThanks

Summary

The GivingThanks contract increments the tokenCounter variable without any validation or control, using it as the unique token ID for new mints in the donate function. This unchecked increment could create gaps in token IDs and expose the contract to potential manipulation by allowing arbitrary ID generation.

Vulnerability Details

The tokenCounter variable is used to assign unique token IDs in each call to donate. However, the counter increments unchecked, meaning gaps can emerge if certain conditions (e.g., failed transactions or reentrancy issues) interrupt the process. Additionally, since there is no control mechanism over the incrementation or assignment of tokenCounter, a malicious actor could potentially exploit this by invoking the function repeatedly or by modifying the contract's code to secure specific token IDs or interfere with the sequence.

• Root Cause: tokenCounter is incremented directly without validation or constraints.

• Instances: tokenCounter incrementation in the donate function.

Impact

Unchecked increments of tokenCounter could lead to gaps in token IDs, which could complicate tracking and organization of minted tokens. Additionally, this lack of control may allow attackers to manipulate token ID assignments, possibly gaining access to preferred IDs or disrupting the intended sequence of IDs.

Tools Used

• Manual Code Review

Recommendations

Implement Safe Counter Incrementation: Use OpenZeppelin’s Counters library to safely handle the incrementation of tokenCounter. This library provides overflow-safe increment operations and helps prevent gaps due to failed transactions.