-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wrong minting logic based on total token count across generations #231
Comments
koolexcrypto marked the issue as satisfactory |
koolexcrypto marked the issue as selected for report |
koolexcrypto changed the severity to 2 (Med Risk) |
koolexcrypto changed the severity to 3 (High Risk) |
koolexcrypto changed the severity to 2 (Med Risk) |
koolexcrypto changed the severity to 3 (High Risk) |
@koolexcrypto thanks for the swift judging! I have the same finding in my QA report #32 L-01, I guess it has been missed. Can you please make it a duplicate of this issue? Thanks for your time! |
Lines of code
https://github.com/code-423n4/2024-07-traitforge/blob/main/contracts/TraitForgeNft/TraitForgeNft.sol#L215
Vulnerability details
https://github.com/code-423n4/2024-07-traitforge/blob/main/contracts/TraitForgeNft/TraitForgeNft.sol#L215
Summary
TraitForgeNft::mintWithBudget
function is similar tomintToken
, but allows users to mint multiple tokens in a single transaction if they have a budget exceeding the minting price for one token.However,
_tokenIds
tracks the total number of tokens ever minted, not just the tokens in the current generation.Impact
In the current implementation,
_tokenIds
is used to control the minting process. The check while(budgetLeft >= mintPrice && _tokenIds < maxTokensPerGen)
ensures that minting will stop when current generation minted tokens reachesmaxTokensPerGen
.Instead of checking the number of tokens minted in the current generation, the function incorrectly checks the total number of tokens minted across all generations (
_tokenIds
).Proof of Concept
Here is the current implementation of the
mintWithBudget
function in the smart contract on line 215:The function will not allow minting if
_tokenIds
is greater than10,000
which will happen after the 1st generation is fully minted.Tools Used
Manual Review
Recommended Mitigation Steps
Use
generationMintCounts[currentGeneration]
instead of_tokenIds
.Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: