Back to Kumpa's contests

Foundation Drop contest - Kumpa's results

Foundation is a web3 destination.

General Information

Platform: Code4rena

Start Date: 11/08/2022

Pot Size: $40,000 USDC

Total HM: 8

Participants: 108

Period: 4 days

Judge: hickuphh3

Total Solo HM: 2

Id: 152

League: ETH

Foundation

Findings Distribution

Researcher Performance

Rank: 74/108

Findings: 1

Award: $41.21

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryFoundation

Findings Information

🌟 Selected for report: Saw-mon_and_Natalie

Also found by: 0x1f8b, 0x52, 0xDjango, 0xNazgul, 0xSmartContract, 0xSolus, 0xackermann, 0xmatt, 0xsolstars, Aymen0909, Bnke0x0, Chom, Deivitto, DevABDee, Dravee, ElKu, IllIllI, JC, Kumpa, Lambda, LeoS, MiloTruck, PwnedNoMore, ReyAdmirado, Rohan16, Rolezn, Ruhum, Sm4rty, TomJ, Treasure-Seeker, Vexjon, Waze, Yiko, __141345__, apostle0x01, auditor0517, berndartmueller, bin2chen, bobirichman, brgltd, bulej93, c3phas, carlitox477, cccz, cryptphi, csanuragjain, d3e4, danb, delfin454000, durianSausage, erictee, fatherOfBlocks, gogo, iamwhitelights, joestakey, jonatascm, ladboy233, mics, oyc_109, rbserver, ret2basic, robee, rokinot, rvierdiiev, shenwilly, sikorico, simon135, thank_you, wagmi, yash90, zeesaw, zkhorse

Awards

41.2059 USDC - $41.21

Labels

bug
QA (Quality Assurance)

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2022-08-foundation/blob/792e00df429b0df9ee5d909a0a5a6e72bd07cf79/contracts/NFTCollection.sol#L265-L273

Vulnerability details

In NFTCollection.sol, it is possible for tokenId to overflow back to the initial value if the creator keeps minting until latestTokenId is equal to the max value of uint32 (or 4294967295). If the first NFT of the collection(tokenId: 1) has been burned and supposed to be untransferable, this overflow could enables the creator to mint back the burned nft and own it.

Proof of Concept

Pic 1 0

-The creator mints NFT#1 and transfers it to the purchaser -The purchaser, for whatever reason, does not want to see this NFT in his wallet or in any other wallet so he decides to burn it, setting the owner of the NFT#1 to be address(0) -The creator wants to resurrect NFT#1 so he decides to mint more 4294967297 NFTs in this collection
-When latestTokenId reaches 4294967295, the next time _mint is called the next tokenId would be zero due to overflow caused by unchecked -Since NFT#1 no longer _exist() after the burn, the creator will be able to mint this NFT back again.

Mitigations

Should remove unchecked and allow latestTokenId to revert once it is overflow.

***I also believe that NFTDropCollection.sol encounters similar issue with mintCountTo() if maxTokenId is set to be the max value of uint32

#0 - HardlyDifficult

2022-08-19T11:04:55Z

Dupe of https://github.com/code-423n4/2022-08-foundation-findings/issues/160

#1 - HickupHH3

2022-08-26T02:56:13Z

warden's primary QA report

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter