Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05djI1LXI1cTItMnA2d84AAwRy
Candy Machine Set Collection During Mint Missing Check
A problem with Candy Machine V2 allow minting NFTs to an arbitrary collection due to a missing check.
Here is a description of the exploit:
Details:
Here is the tx/ix to exploit:
Transaction:
Ix 1: candy_machine v2, mint_nft, passing in empty metadata -1
Ix 2: custom handler, 0
cpi A --> token_metadata create_metadata_account, creates NFT
cpi B --> candy_machine v2, set_collection_during_mint
Ix 1 passes our first check for empty metadata, but eventually will hit a bot tax and return Ok. We do have a CPI check in this function but even if we hit that or moved it to the top, it returns Ok as a bot tax and still enables the issue.
Ix 2, cpi A is Ok and mints an arbitrary NFT.
Ix 2, cpi B checks the previous instruction using index_relative_to_current-1. This turns out to be Ix 1 which was Ok, so then your newly minted arbitrary NFT is successfully added to the collection.
Conclusion:
Candy machine could be out of NFTs and it still works. If the CM is closed, (we think?) it doesn't get to the check.
The fix needs to be in set_collection_during_mint that current program ID id candy_machine_v2. It checks previous program ID but doesn't check current.
NOTE: THIS DOES NOT AFFECT Cmv3
Permalink: https://github.com/advisories/GHSA-9v25-r5q2-2p6wJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05djI1LXI1cTItMnA2d84AAwRy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
Identifiers: GHSA-9v25-r5q2-2p6w
References:
- https://github.com/metaplex-foundation/metaplex-program-library/security/advisories/GHSA-9v25-r5q2-2p6w
- https://github.com/metaplex-foundation/metaplex-program-library/commit/e6b3aff603ac06236bf77c2ec21ead93c6836dce
- https://github.com/advisories/GHSA-9v25-r5q2-2p6w
Blast Radius: 0.0
Affected Packages
cargo:mpl-candy-machine
Dependent packages: 3Dependent repositories: 5
Downloads: 22,825 total
Affected Version Ranges: = 4.5.0
Fixed in: 4.5.1
All affected versions: 4.5.0
All unaffected versions: 2.0.1, 3.0.0, 3.1.0, 3.1.1, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.1, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.4.0, 4.4.1, 4.5.1, 4.6.0