Reentrancy Vulnerability in RAACNFT Minting Function
Summary
2025-02-raac/contracts/core/tokens/RAACNFT.sol at main · Cyfrin/2025-02-raac
The mint function in the RAACNFT contract is vulnerable to a reentrancy attack due to an external call to token.safeTransfer(msg.sender, refundAmount); after an NFT is minted. This allows a malicious contract to re-enter the mint function and repeatedly mint NFTs without paying the full required amount.
Vulnerability Details
-
The function transfers ERC20 tokens from the user to the contract before minting an NFT.
-
If the
_amountprovided by the user is greater than the required price, the contract sends the excess amount back after minting the NFT. -
The refund is made via an external call (
safeTransfer) to the user's address, which could be a malicious contract that re-enters themintfunction.
Proof of concept
Attacker calls mint with an excess amount, ensuring a refund is triggered.
NFT is minted to the attacker before the refund is processed.
Attacker’s contract (a malicious ERC20 token) has a callback function that triggers a second mint before the first one completes.
The process repeats, allowing the attacker to mint multiple NFTs without spending real funds
Impact
Financial Loss: An attacker would drain all NFTs without paying the correct amount.
Tools Used
Recommendations
Modify the contract to inherit from ReentrancyGuard and use the nonReentrant modifier:
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.