Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-01-RABBITHOLE-FINDINGS-ISSUES-627
HistoryJan 30, 2023 - 12:00 a.m.

Wrongly implemented modifier allow everybody to mint Rabbit Hole tickets.

2023-01-3000:00:00
Code4rena
github.com
9
rabbitholetickets
c4 contest
smart contract
erc-2981
nft royalty standard
minting
tokens
value
reputation
JSON

Lines of code
<https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L83&gt;
<https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L97&gt;

Vulnerability details

Impact

As specified on RabbitHole C4 contest page, RabbitHoleTickets smart contract β€˜is an 1155 reward contract used by the RabbitHole team.’ Meaning that the assets managed by this smart contract have value. Moreover this contract implements ERC-2981: NFT Royalty Standard meaning that the tickets can be traded for other assets.
RabbitHoleTickets.onlyMinter doesn’t check if msg.sender is the minter address.
Anybody can call RabbitHoleTickets.mint (or RabbitHoleTickets.mintBatch) to mint unlimited number of tokens. Being a token with infinite supply it will lose value and it’s creator can lose reputation.

Proof of Concept

  • Attacker calls mintBatch / mint and mint a huge number of tickets.
  • Dump minted tickets on secondary markets for profit.

Tools Used

Manual review

Recommended Mitigation Steps

The fix is simple, properly implement the modifier as:



    modifier onlyMinter() {
        if(msg.sender != minterAddress) revert CallerNotMinter();
        _;
    }

The text was updated successfully, but these errors were encountered:

All reactions

JSON