Platform: Code4rena
Start Date: 30/10/2023
Pot Size: $49,250 USDC
Total HM: 14
Participants: 243
Period: 14 days
Judge: 0xsomeone
Id: 302
League: ETH
Rank: 191/243
Findings: 1
Award: $0.08
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: btk
Also found by: 00xSEV, 0x175, 0x180db, 0x3b, 0xAlix2, 0xJuda, 0xpiken, 0xraion, 3th, 836541, Al-Qa-qa, AvantGard, Aymen0909, Beosin, ChrisTina, DarkTower, DeFiHackLabs, EricWWFCP, Kose, Kow, KupiaSec, MrPotatoMagic, Neo_Granicen, PENGUN, PetarTolev, Ruhum, Soul22, SovaSlava, SpicyMeatball, Talfao, The_Kakers, Toshii, Tricko, VAD37, Viktor_Cortess, ZdravkoHr, _eperezok, alexxander, audityourcontracts, ayden, bird-flu, bronze_pickaxe, codynhat, critical-or-high, danielles0xG, degensec, droptpackets, evmboi32, fibonacci, flacko, gumgumzum, ilchovski, immeas, innertia, jacopod, joesan, ke1caM, kk_krish, mojito_auditor, nuthan2x, phoenixV110, pontifex, r0ck3tz, sces60107, seeques, sl1, smiling_heretic, stackachu, t0x1c, trachev, turvy_fuzz, ubl4nk, ustas, xAriextz, xuwinnie, y4y
0.076 USDC - $0.08
https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/MinterContract.sol#L196 https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L189 https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/NextGenCore.sol#L193-L195
Functions MinterContract.mint() and NextGenCore.mint() lack re-entrancy protection. Moreover, NextGenCore.mint() violates the CEI pattern. As a result it's possible to mint more NFTs than permitted by the _maxAllowance parameter for MinterContract.mint().
A user who is eligible for the NFT mint during phase 1 can call MinterContract.mint() and present Merkle proof along with other parameters, including _maxAllowance. The leaf should be in the Merkle tree and incorporate msg.sender, _maxAllowance, and _tokenData.
Furthermore, the user shouldn't mint more than _maxAllowance and gencore.retrieveTokensMintedALPerAddress(col, msg.sendert) holds the number of NFTs minted so far.
Eventually, gencore.mint() is called.
Yet in gencore.mint() the value of tokensMintedAllowlistAddress is updated only after mintProcessing() which internally invokes _safeMint() with a callback. Therefore, a malicious minter could exploit callback from _safeMint() to call MinterContract.mint() recursively with the same Merkle proof to mint any number of NFTs, bypassing _maxAllowance upper bound.
Manual review.
Implement re-entrancy protection for MinterContract.mint() and NextGenCore.mint().
Reentrancy
#0 - c4-pre-sort
2023-11-20T02:21:21Z
141345 marked the issue as duplicate of #51
#1 - c4-pre-sort
2023-11-26T13:59:45Z
141345 marked the issue as duplicate of #1742
#2 - c4-judge
2023-12-08T16:39:27Z
alex-ppg marked the issue as satisfactory
#3 - c4-judge
2023-12-08T16:40:32Z
alex-ppg marked the issue as partial-50