Submission Details
Impact:
Likelihood:
Snowman::mintSnowman` updates state after the external `_safeMint` call (CEI)
Root + Impact
Description
-
mintSnowmanincrementss_TokenCounterafter_safeMint, which performs an externalonERC721Receivedcallback. -
This violates Checks-Effects-Interactions; it is currently mitigated only because ERC721 reverts on a duplicate token id, but the ordering is fragile.
_safeMint(receiver, s_TokenCounter); // external callback happens here
emit SnowmanMinted(receiver, s_TokenCounter);
@> s_TokenCounter++; // state updated AFTER the external call
// Root cause in the codebase with @> marks to highlight the relevant section
Risk
Likelihood:
Occurs on every mint to a contract receiver that implements
onERC721Received.
Impact:
Reentrancy-prone ordering; safe today only by accident of ERC721's duplicate-id check.
Proof of Concept
```text
Static (aderyn / Slither reentrancy-events): state write after external call in mintSnowman.
```
Recommended Mitigation
```diff
- _safeMint(receiver, s_TokenCounter);
- emit SnowmanMinted(receiver, s_TokenCounter);
- s_TokenCounter++;
+ uint256 tokenId = s_TokenCounter;
+ s_TokenCounter++; // effects before interaction
+ _safeMint(receiver, tokenId);
+ emit SnowmanMinted(receiver, tokenId);
```
Rewards breakdown
This contest has a flat reward structure with the following payouts:
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.