Normally, when a user buys a festival pass, payment is processed and a pass is minted with all state updated before any external call.
Here, _mint()
(which triggers onERC1155Received) is called before updating passSupply
, opening the function to reentrancy. A malicious receiver can re-enter buyPass and mint multiple passes for a single payment.
Likelihood:
Occurs whenever a malicious receiver contract is used.
ERC1155 hooks are a routine target for reentrancy.
Impact:
Multiple passes may be minted for one payment, draining ETH and corrupting accounting.
State may become permanently inconsistent or exploitable.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.