[Lines of code](https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollectionFactory.sol#L386-L423) # Vulnerability details ## Impact The following _createNFTDropCollection function with different name, symbol, and nonce can be called to create different NFT drop collections. function _createNFTDropCollection( string calldata name, string calldata symbol, string calldata baseURI, bytes32 postRevealBaseURIHash, uint32 maxTokenId, address approvedMinter, address payable paymentAddress, uint256 nonce ) private returns (address collection) { // This reverts if the NFT was previously created using this implementation version + msg.sender + nonce collection = implementationNFTDropCollection.cloneDeterministic(_getSalt(msg.sender, nonce)); INFTDropCollectionInitializer(collection).initialize( payable(msg.sender), name, symbol, baseURI, postRevealBaseURIHash, maxTokenId, approvedMinter, paymentAddress ); ... } After the NFT drop collections are created, the creator or minter can call the following mintCountTo function to mint NFTs of the drop collections per the collectors' requests. function mintCountTo(uint16 count, address to) external onlyMinterOrAdmin returns (uint256 firstTokenId) { require(count != 0, "NFTDropCollection: count must be greater than 0"); unchecked { // If +1 overflows then +count would also overflow, unless count==0 in which case the loop would exceed gas limits firstTokenId = latestTokenId + 1; } latestTokenId = latestTokenId + count; require(latestTokenId <= maxTokenId, "NFTDropCollection: Exceeds max tokenId"); for (uint256 i = firstTokenId; i <= latestTokenId; ) { _mint(to, i); unchecked { ++i; } } } After minting, the creator can call the following reveal function to reveal the NFT drop collection's final content by setting _baseURI of the final content. There is no check to ensure that the same _baseURI cannot be used for different NFT drop collections. Therefore, a malicious creator can use the same _baseURI when calling reveal for different NFT drop collections, which would reveal different collections' NFTs to correspond to the same ipfs token URI. Because the ipfs token URI should be unique for every NFT, collectors can end up minting the same NFT even it is from different NFT drop collections. Since these NFTs are essentially duplicates, disputes can occur, and the collectors would lose investments. function reveal(string calldata _baseURI) external onlyAdmin validBaseURI(_baseURI) onlyWhileUnrevealed { // postRevealBaseURIHash == 0 indicates that the collection has been revealed. delete postRevealBaseURIHash; // Set the new base URI. baseURI = _baseURI; emit URIUpdated(_baseURI, ""); } ## Proof of Concept Please add the following test in the Admin Reveal describe block in test\collections\NFTDropCollection\reveal.ts. This test will pass to demonstrate the described scenario. it("Malicious creator can create different NFT drop collections with NFTs that will be revealed to correspond to same ipfs token URI", async () => { const baseURI = "ipfs://foo/"; let nftDropCollection1: NFTDropCollection; const tx1 = await contracts.nftCollectionFactoryV2 .connect(creator) .createNFTDropCollection( "NAME1", "SYM1", PREREVEAL_URI, ethers.utils.keccak256(ethers.utils.toUtf8Bytes(baseURI)), MAX_TOKEN_ID, contracts.nftDropMarket.address, 1000, {gasLimit: 1e6} ); nftDropCollection1 = await getNFTDropCollection(tx1, creator); let nftDropCollection2: NFTDropCollection; const tx2 = await contracts.nftCollectionFactoryV2 .connect(creator) .createNFTDropCollection( "NAME2", "SYM2", PREREVEAL_URI, ethers.utils.keccak256(ethers.utils.toUtf8Bytes(baseURI)), MAX_TOKEN_ID, contracts.nftDropMarket.address, 2000, {gasLimit: 1e6} ); nftDropCollection2 = await getNFTDropCollection(tx2, creator); await nftDropCollection1.connect(creator).mintCountTo(1, collector.address); await nftDropCollection1.connect(creator).reveal(baseURI); await nftDropCollection2.connect(creator).mintCountTo(1, collector.address); await nftDropCollection2.connect(creator).reveal(baseURI); const nftDrop1TokenURI1 = await nftDropCollection1.connect(creator).tokenURI(1); const nftDrop2TokenURI1 = await nftDropCollection2.connect(creator).tokenURI(1); // both NFT drop collections now have NFTs that are revealed to correspond to the same ipfs token URI expect(nftDrop1TokenURI1).to.be.eq(${baseURI}1.json); expect(nftDrop1TokenURI1).to.be.eq(nftDrop2TokenURI1); }); ## Tools Used VSCode ## Recommended Mitigation Steps A contract can be added and used across NFT drop collections for recording the base URI, as well as its hash, that is used when revealing the final collection content. The [_createNFTDropCollection](https://github.com/code-423n4/2022-08-foundation/blob/main/contracts/NFTCollectionFactory.sol#L386-L423>) and [updatePreRevealContent]() functions should revert if the creator tries to call them with a post-reveal base URI hash that has been used already by checking against this contract. Moreover, the [reveal](