Art Gobblers contest - KIntern_NA's results

Lines of code

https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/ArtGobblers.sol#L432-L442

Vulnerability details

[2022-09-artgobblers] Forgetting to delete approval can help attacker mint any legendary gobbler with 0 cost of standard gobblers.

tags: c4, 2022-09-artgobblers, high

Affected code

https://github.com/code-423n4/2022-09-artgobblers/blob/main/src/ArtGobblers.sol#L432-L442

Impact

When mint new lengendary gobbler, an amount of standard gobblers (cost) must be burned. But when batch burn gobblers in function mintLegendaryGobbler(), contract has not delete the approval of these gobblers. So after mint legendary gobbler, attackers can take back the gobblers which must be burned if they approved these gobblers to other address before.

Proof of concept

• attack script (function testMintLegendaryGobblerWithNoCost()) https://gist.github.com/huuducst/742c8286a080f942e737eb1fc23b4489 (this file is placed at test/)

Tools Used

Manual review Foundry

Recommended Mitigation Steps

Add delete approval of gobblers when batch burn in function mintLegendaryGobbler():

for (uint256 i = 0; i < cost; ++i) {
    id = gobblerIds[i];

    if (id >= FIRST_LEGENDARY_GOBBLER_ID) revert CannotBurnLegendary(id);

    require(getGobblerData[id].owner == msg.sender, "WRONG_FROM");

    burnedMultipleTotal += getGobblerData[id].emissionMultiple;

    emit Transfer(msg.sender, getGobblerData[id].owner = address(0), id);
    
    delete getApproved[id]; // delete the approval of gobbler
}