Vulnerability in ERC20ToGenerateNftFraccion Contract: Lack of Access Control on Mint Function
Summary
The ERC20ToGenerateNftFraccion contract used in the divideNft function lacks access control on its mint function. This issue allows any user to mint tokens for a new instance of ERC20ToGenerateNftFraccion created through the divideNft function, potentially leading to unintended minting of tokens.
Vulnerability Details
The attacker calls getErc20InfoFromNft(address nft) to obtain the ERC20Info erc20Address associated with a specific NFT.
The attacker creates a new contract that interacts with the ERC20ToGenerateNftFraccion contract, specifically using the erc20Address retrieved from the ERC20Info object.
Since the mint function on the ERC20ToGenerateNftFraccion contract is public and has no access control, the attacker can mint tokens by calling the mint function directly on the erc20Address.
The attacker can mint tokens equal to the amount specified to "unlock" the NFT or any other desired quantity.
Attacks of othe scenarios can also occur due to this issue
Tools Used
manual review
Impact
Unauthorized Token Minting
NFT Unlocking Exploit: By minting tokens equivalent to the specified amount, attackers may manipulate or unlock NFTs without valid authorization
Recommendations
the mint function should be restricted to TokenDivider.sol only
Lead Judging Commences
Lack of token access control chekcs
Any person can mint the ERC20 token generated in representation of the NFT
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.