Batch Size Can Only Increase, Preventing Proper Batch Management
Summary
The currentBatchSize variable in RAACNFT.sol can only increase and is never reset or reduced. This leads to an issue where batch minting cannot be properly managed, potentially causing inconsistencies between the allowed minting range and the house price oracle.
Vulnerability Details
The contract allows for batch minting of NFTs using the addNewBatch function.
The currentBatchSize variable is initialized at 3 and can only increase with addNewBatch().
There is no function to reset or decrease currentBatchSize, meaning it always grows indefinitely. For example, suppose currentBatchSize is initially set to 3, meaning token IDs 0–2 can be minted. If the owner calls addNewBatch(6), currentBatchSize increases to 9. Later, the house price oracle is updated to support only token IDs 0–4. The contract still allows minting up to token ID 9, but token IDs 5–8 will fail since the oracle returns 0. This creates an inconsistency where currentBatchSize suggests more tokens can be minted than what the oracle actually supports.
Impact
Batch minting cannot be properly managed, making it difficult to support distinct sets of NFTs for different houses.
The lack of flexibility to reset or reduce batch size means past expansions cannot be corrected.
Tools Used
Manual code review
Recommendations
A function should be introduced to allow batch size reduction or resetting when needed.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.