A fix for the mintBatch vulnerability to bypass pool capacity

2022-11-22 08:18:36 -08:00 · 2022-11-22 08:18:36 -08:00 · 12204c47dd
commit 12204c47dd
--- a/contracts/terminus/ERC1155WithTerminusStorage.sol
+++ b/contracts/terminus/ERC1155WithTerminusStorage.sol
@ -386,18 +386,15 @@ contract ERC1155WithTerminusStorage is

        LibTerminus.TerminusStorage storage ts = LibTerminus.terminusStorage();

-        for (uint256 i = 0; i < ids.length; i++) {
-            require(
-                ts.poolSupply[ids[i]] + amounts[i] <= ts.poolCapacity[ids[i]],
-                "ERC1155WithTerminusStorage: _mintBatch -- Minted tokens would exceed pool capacity"
-            );
-        }
-
        address operator = _msgSender();

        _beforeTokenTransfer(operator, address(0), to, ids, amounts, data);

        for (uint256 i = 0; i < ids.length; i++) {
+            require(
+                ts.poolSupply[ids[i]] + amounts[i] <= ts.poolCapacity[ids[i]],
+                "ERC1155WithTerminusStorage: _mintBatch -- Minted tokens would exceed pool capacity"
+            );
            ts.poolSupply[ids[i]] += amounts[i];
            ts.poolBalances[ids[i]][to] += amounts[i];
        }
--- a/dao/test_terminus.py
+++ b/dao/test_terminus.py
@ -333,12 +333,16 @@ class TestPoolOperations(TerminusTestCase):
        )

    def test_mint_batch_fails_if_it_exceeds_capacity(self):
+        capacity = 10
+        self.diamond_terminus.create_pool_v1(
+            capacity, True, True, {"from": accounts[1]}
+        )
        pool_id = self.diamond_terminus.total_pools()
        with self.assertRaises(Exception):
            self.diamond_terminus.mint_batch(
                accounts[2].address,
-                pool_i_ds=[pool_id],
-                amounts=[11],
+                pool_i_ds=[pool_id, pool_id],
+                amounts=[int(capacity / 2) + 1, int(capacity / 2) + 1],
                data=b"",
                transaction_config={"from": accounts[1]},
            )