Merge pull request #65 from bugout-dev/fix-mint-batch-exploit

Fix for the "mintBatch" exploit
Added additional test for mintBatch exploit
2022-11-22 10:40:24 -08:00 · 2022-11-22 08:25:50 -08:00 · 2022-11-22 08:18:36 -08:00
--- a/contracts/terminus/ERC1155WithTerminusStorage.sol
+++ b/contracts/terminus/ERC1155WithTerminusStorage.sol
@ -386,18 +386,15 @@ contract ERC1155WithTerminusStorage is

        LibTerminus.TerminusStorage storage ts = LibTerminus.terminusStorage();

-        for (uint256 i = 0; i < ids.length; i++) {
-            require(
-                ts.poolSupply[ids[i]] + amounts[i] <= ts.poolCapacity[ids[i]],
-                "ERC1155WithTerminusStorage: _mintBatch -- Minted tokens would exceed pool capacity"
-            );
-        }
-
        address operator = _msgSender();

        _beforeTokenTransfer(operator, address(0), to, ids, amounts, data);

        for (uint256 i = 0; i < ids.length; i++) {
+            require(
+                ts.poolSupply[ids[i]] + amounts[i] <= ts.poolCapacity[ids[i]],
+                "ERC1155WithTerminusStorage: _mintBatch -- Minted tokens would exceed pool capacity"
+            );
            ts.poolSupply[ids[i]] += amounts[i];
            ts.poolBalances[ids[i]][to] += amounts[i];
        }
--- a/dao/test_terminus.py
+++ b/dao/test_terminus.py
@ -333,12 +333,37 @@ class TestPoolOperations(TerminusTestCase):
        )

    def test_mint_batch_fails_if_it_exceeds_capacity(self):
+        capacity = 10
+        self.diamond_terminus.create_pool_v1(
+            capacity, True, True, {"from": accounts[1]}
+        )
        pool_id = self.diamond_terminus.total_pools()
        with self.assertRaises(Exception):
            self.diamond_terminus.mint_batch(
                accounts[2].address,
-                pool_i_ds=[pool_id],
-                amounts=[11],
+                pool_i_ds=[pool_id, pool_id],
+                amounts=[int(capacity / 2) + 1, int(capacity / 2) + 1],
+                data=b"",
+                transaction_config={"from": accounts[1]},
+            )
+
+        balance = self.diamond_terminus.balance_of(accounts[2].address, pool_id)
+        self.assertEqual(balance, 0)
+
+        supply = self.diamond_terminus.terminus_pool_supply(pool_id)
+        self.assertEqual(supply, 0)
+
+    def test_mint_batch_fails_if_it_exceeds_capacity_one_at_a_time(self):
+        capacity = 10
+        self.diamond_terminus.create_pool_v1(
+            capacity, True, True, {"from": accounts[1]}
+        )
+        pool_id = self.diamond_terminus.total_pools()
+        with self.assertRaises(Exception):
+            self.diamond_terminus.mint_batch(
+                accounts[2].address,
+                pool_i_ds=[pool_id for _ in range(capacity + 1)],
+                amounts=[1 for _ in range(capacity + 1)],
                data=b"",
                transaction_config={"from": accounts[1]},
            )
Autor	SHA1	Wiadomość	Data
Neeraj Kashyap	71261d1bbf	Merge pull request #65 from bugout-dev/fix-mint-batch-exploit Fix for the "mintBatch" exploit	2022-11-22 10:40:24 -08:00
Neeraj Kashyap	8f34b14fb5	Added additional test for mintBatch exploit Inspired by @kompotkot	2022-11-22 08:25:50 -08:00
Neeraj Kashyap	12204c47dd	A fix for the mintBatch vulnerability to bypass pool capacity	2022-11-22 08:18:36 -08:00