Submission Details
Impact:
Likelihood:
HIGH ISSUE: CEI Pattern Violation in Mint Function
Root + Impact
Description
The state change (
CurrenTokenID++) happens AFTER the external interaction (_safeMint). This could potentially allow reentrancy attacks.
function mint(address to) public onlyOwner returns (uint256) {
uint256 _tokenId = CurrenTokenID;
_safeMint(to, _tokenId); // External interaction
emit BidBeastsMinted(to, _tokenId); // Effect (event)
CurrenTokenID++; // Effect (state change)
return _tokenId;
}
Risk
Likelihood:
Reentrancy can occur when
_safeMintcalls the recipient'sonERC721ReceivedfunctionMalicious contracts can exploit this to manipulate the state before
CurrenTokenIDis incrementedThe vulnerability exists every time a mint occurs to a contract address
Impact:
Potential for duplicate token IDs if reentrancy occurs
State inconsistency in the contract
Possible exploitation of mint logic
Proof of Concept
contract MaliciousReceiver {
BidBeasts nft;
constructor(BidBeasts _nft) {
nft = _nft;
}
function onERC721Received(address, address, uint256, bytes calldata)
external returns (bytes4) {
// Reentrant call during mint
// CurrenTokenID hasn't been incremented yet
uint256 currentId = nft.CurrenTokenID();
// Could potentially exploit this state
return this.onERC721Received.selector;
}
}
Recommended Mitigation
function mint(address to) public onlyOwner returns (uint256) {
uint256 _tokenId = CurrenTokenID;
+ CurrenTokenID++; // Effect first
_safeMint(to, _tokenId); // Interaction last
emit BidBeastsMinted(to, _tokenId);
- CurrenTokenID++;
return _tokenId;
}
Rewards breakdown
nSLOC
170This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.