opensea-erc1155 icon indicating copy to clipboard operation
opensea-erc1155 copied to clipboard

Published 20 hours ago verified publisher icon ProjectOpenSea

Reentrancy in mint()

Open epheph opened this issue 5 years ago • 0 comments

https://github.com/ProjectOpenSea/opensea-erc1155/blob/59d2e0cd3b118d8aeb0ac27c4b0726feff3853c0/contracts/MyFactory.sol#L94

Calling mint(uint256 _optionId, address _toAddress, uint256 _amount, bytes calldata _data) calls the internal

_mint(
    Option _option,
    address _toAddress,
    uint256 _amount,
    bytes memory _data
  )

Which ends up running

    if (id == 0) {
      id = nftContract.create(_toAddress, _amount, "", _data);
      optionToTokenID[optionId] = id;
    } else {
      nftContract.mint(_toAddress, id, _amount, _data);
    }

If the nftContract itself supports callback hooks (like MyCollectible.sol), there is a reentrancy which could allow create to be called twice with the same optionId

epheph avatar Feb 14 '20 21:02 epheph