Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Users can mint NFTs Outside Intended Batches

udogodwin2k22

Summary

The RAACNFT.sol contract does not enforce batch limits in the mint function, allowing users to mint NFTs beyond the intended batch size. This could lead to unauthorized minting, disrupting the protocol's intention of Allowing for batch minting of NFTs.

Vulnerability Details

The root cause of this vulnerability lies in the absence of a check in the mint function to ensure that the _tokenId being minted falls within the currently allowed batch size. The contract defines currentBatchSize but does not use it to restrict minting.

uint256 public currentBatchSize = 3;

The function addNewBatch increases currentBatchSize:

function addNewBatch(uint256 _batchSize) public override onlyOwner {
if (_batchSize == 0) revert RAACNFT__BatchSize();
currentBatchSize += _batchSize;
}

However, the mint function does not check whether _tokenId falls within currentBatchSize:

function mint(uint256 _tokenId, uint256 _amount) public override {
uint256 price = raac_hp.tokenToHousePrice(_tokenId);
if(price == 0) { revert RAACNFT__HousePrice(); }
if(price > _amount) { revert RAACNFT__InsufficientFundsMint(); }
// transfer erc20 from user to contract - requires pre-approval from user
token.safeTransferFrom(msg.sender, address(this), _amount);
// mint tokenId to user
_safeMint(msg.sender, _tokenId);
// If user approved more than necessary, refund the difference
if (_amount > price) {
uint256 refundAmount = _amount - price;
token.safeTransfer(msg.sender, refundAmount);
}
emit NFTMinted(msg.sender, _tokenId, price);
}

Since there is no condition like require(_tokenId < currentBatchSize, "Token ID exceeds current batch limit");, a user can mint tokens beyond the intended limit. This allows unauthorized minting and disrupts the expected NFT distribution.

Impact

  • Users can mint NFTs outside of the intended batch, leading to unintended token distribution.

  • The protocol's NFT release schedule can be manipulated, leading to loss of control over scarcity and demand.

Tools Used

  • Manual code review

Recommendations

To fix this issue, modify the mint function to include a validation check that ensures _tokenId does not exceed currentBatchSize. The fix could be implemented as follows:

function mint(uint256 _tokenId, uint256 _amount) public override {
require(_tokenId < currentBatchSize, "Token ID exceeds current batch limit");
uint256 price = raac_hp.tokenToHousePrice(_tokenId);
if(price == 0) { revert RAACNFT__HousePrice(); }
if(price > _amount) { revert RAACNFT__InsufficientFundsMint(); }
token.safeTransferFrom(msg.sender, address(this), _amount);
_safeMint(msg.sender, _tokenId);
if (_amount > price) {
uint256 refundAmount = _amount - price;
token.safeTransfer(msg.sender, refundAmount);
}
emit NFTMinted(msg.sender, _tokenId, price);
}

This simple check ensures that minting is restricted to the allowed batch size, preventing unauthorized minting beyond intended releases.

Updates

Lead Judging Commences

inallhonesty Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.