GHSA-9v25-r5q2-2p6w

Suggest an improvement
Source
https://github.com/advisories/GHSA-9v25-r5q2-2p6w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-9v25-r5q2-2p6w/GHSA-9v25-r5q2-2p6w.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9v25-r5q2-2p6w
Published
2022-12-12T22:03:19Z
Modified
2022-12-12T22:03:19Z
Summary
Candy Machine Set Collection During Mint Missing Check
Details

A problem with Candy Machine V2 allow minting NFTs to an arbitrary collection due to a missing check.

Here is a description of the exploit: Details: Here is the tx/ix to exploit: Transaction: Ix 1: candymachine v2, mintnft, passing in empty metadata -1 Ix 2: custom handler, 0 cpi A --> tokenmetadata createmetadataaccount, creates NFT cpi B --> candymachine v2, setcollectionduringmint Ix 1 passes our first check for empty metadata, but eventually will hit a bot tax and return Ok. We do have a CPI check in this function but even if we hit that or moved it to the top, it returns Ok as a bot tax and still enables the issue. Ix 2, cpi A is Ok and mints an arbitrary NFT. Ix 2, cpi B checks the previous instruction using indexrelativetocurrent-1. This turns out to be Ix 1 which was Ok, so then your newly minted arbitrary NFT is successfully added to the collection. Conclusion: Candy machine could be out of NFTs and it still works. If the CM is closed, (we think?) it doesn't get to the check. The fix needs to be in setcollectionduringmint that current program ID id candymachine_v2. It checks previous program ID but doesn't check current.

NOTE: THIS DOES NOT AFFECT Cmv3

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-12T22:03:19Z"
}
References

Affected packages

crates.io / mpl-candy-machine

Package

Name
mpl-candy-machine
View open source insights on deps.dev
Purl
pkg:cargo/mpl-candy-machine

Affected ranges

Type
SEMVER
Events
Introduced
4.5.0
Fixed
4.5.1

Affected versions

4.*

4.5.0