Submission Details
Severity:
Incorrect Usage of mint instead of safeMint in GivingThanks Contract
Summary
The contract uses the mint function to mint new tokens instead of safeMint, which is the recommended approach in ERC721 contracts. Using safeMint ensures that tokens are only minted to addresses capable of handling them, thereby preventing tokens from being sent to contracts that do not support ERC721.
Vulnerability Details
function mintToken(address recipient, string memory tokenURI) public {
require(registry.isVerified(msg.sender), "Not a verified charity");
_mint(recipient, tokenCounter); // @audit should use safeMint
_setTokenURI(tokenCounter, tokenURI);
tokenCounter++;
}
Impact
Impact: Using _mint can lead to issues if the recipient address is a contract that does not support receiving ERC721 tokens, potentially causing tokens to be permanently locked.
Tools Used
manual review
Recommendations
Replace _mint with _safeMint in the mintToken function.
function mintToken(address recipient, string memory tokenURI) public {
require(registry.isVerified(msg.sender), "Not a verified charity");
_safeMint(recipient, tokenCounter); // Use safeMint for better compatibility
_setTokenURI(tokenCounter, tokenURI);
tokenCounter++;
}
Updates
Rewards breakdown
nSLOC
67This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.