Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Invalid

[L-1] `OWPIdentity.sol::mintBatch()` Should not exist as a function if current implementation is intentional. If it has been incorrectly implemented, unexpected behaviour will occur.

casinocompiler

Description:

If the current implementation of mintBatch() was intended, one address should not have multiple KYC IDs ever, as such, this function should not exist. If the intended implementation was to streamline the backend and to allow it to mint multiple different IDs to different addresses, the entire function needs to be reworked.

Explanation for severity:

In it's current implementation, this function should just never be used, as such, severity is low.

However, if it were to streamline the backend and allow multiple mints of different IDs to different addresses, this is protocol breaking and a higher severity should be considered.

Impact:

  1. With current functionality, having 1 address have >1 different KYC IDs does not make sense.

  2. If other functionality was expected, protocol breaking behaviour will occur.

Proof of Concept:

  1. Create a new test folder and ensure foundry.toml::profile.default::test points to test folder.

  2. Create a contract in the folder with the following code:

// SPDX-License-Identifier: MIT
pragma solidity 0.8.22;
import {Test, console} from "forge-std/Test.sol";
import {OWPIdentity} from "../contracts/OWPIdentity.sol"; // Import PATH may alter
contract OWPIdentityTest is Test {
OWPIdentity public owpIdentity;
address public owner;
address public backendMinter; // Protocol controlled address with MINTER_ROLE
address public userA;
address public userB;
function setUp() public {
owner = makeAddr("owner");
backendMinter = makeAddr("backendMinter");
userA = makeAddr("user");
vm.prank(owner);
owpIdentity = new OWPIdentity(
owner,
backendMinter, // Protocol's backend minting address
"https://example.com/{id}.json"
);
}
function test_BackendCanBatchMintMultipleAmounts() public {
vm.startPrank(backendMinter);
// Input args for function
// NOTE:: should be new uint256[](2);
uint256[] memory ids = new uint256[]();
ids[0] = 1;
ids[1] = 2;
uint256[] memory amounts = new uint256[]();
amounts[0] = 1;
amounts[1] = 1;
// Mint KYC ID 1 and KYC ID 2 to userA
owpIdentity.mintBatch(userA, ids, amounts, "");
// Show userA has 2 different KYC IDs
assertEq(owpIdentity.balanceOf(userA, 1), 1);
assertEq(owpIdentity.balanceOf(userA, 2), 1);
vm.stopPrank();
}
}

  1. run forge test.

Tools Used:

Manual review and custom Forge test suite - Convert Hardhat project to Foundry

Recommended Mitigation:

  • Dependant on intended implementation, the function should either be removed or completely reworked.

  • An auxiliary function from this is burnBatch() which works in tandem with mintBatch() , thus requiring removal / reworking too.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice
0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!