The Turnstile contract contains a distributeFees function which can only be called by owner to assign and distribute fee for a _tokenId.
However the function does not validates the _tokenId input value. So it is possible for the owner to provide any uint256 value as an input to the function and assign the sent ETH as the claimable fee for that particular _tokenId.
The _tokenIdTracker is a counter which is initialized as 0 and is incremented by 1 on every successful token mint.
If an invalid/non-existent _tokenId is provided to the distributeFees function, the associated sent ETH will get stuck in the Turnstile contract. The only way to recover those ETH is to mint new tokens till the _tokenIdTracker equals _tokenId and then call the withdraw function. Please also keep in mind that the Turnstile contract only allows minting of one NFT per account, hence the recovery task becomes more difficult.
Case 1
Case 2
In Case 1 the deployer was able to recover the funds but he has to waste gas to mint 91 NFTs. This also results is 91 redundant NFTs. In Case 2 an attacker was successfully able to steal those 10 ETH as the register function can be invoked by anyone.
Manual review
In distributeFees function a check must be introduced to validate that fee can only be distributed to already existing token ids.
if (!_exists(_tokenId)) revert InvalidTokenId();
The text was updated successfully, but these errors were encountered:
All reactions