Submission Details
Severity:
Batch size not enforced in NFT minting allows unlimited token creation
Vulnerability Details
The contract maintains a currentBatchSize state variable that is incremented through the addNewBatch() function:
function addNewBatch(uint256 _batchSize) public override onlyOwner {
if (_batchSize == 0) revert RAACNFT__BatchSize();
currentBatchSize += _batchSize;
}
However, the mint() function does not check against this batch size limit:
function mint(uint256 _tokenId, uint256 _amount) public override {
uint256 price = raac_hp.tokenToHousePrice(_tokenId);
if (price == 0) revert RAACNFT__HousePrice();
if (price > _amount) revert RAACNFT__InsufficientFundsMint();
// ... minting logic ...
}
The only limitation on minting is that the tokenId must have a valid non-zero price in the raac_hp oracle contract.
Impact
The batch size tracking becomes meaningless since it's not enforced
More NFTs can be minted than intended by the protocol
Recommendation
Add Batch Size Check
function mint(uint256 _tokenId, uint256 _amount) public override {
+ if (_tokenId >= currentBatchSize) revert RAACNFT__ExceedsBatchSize();
uint256 price = raac_hp.tokenToHousePrice(_tokenId);
if (price == 0) revert RAACNFT__HousePrice();
if (price > _amount) revert RAACNFT__InsufficientFundsMint();
// ... rest of the function
}
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420 USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.