Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

HypeBears is a collectable set of NFT bears. mint is used to create new bears within this ecosystem.

When minting the NFTs, the code uses _safeMint from the OZ reference implementation. There is a map that checks to see whether or not a given address has minted an NFT. The safe is in regards to a check for the onERC721Received hook if it's a contract and has nothing to do with security.

The addressMinted is added at the end of the function. This violates the check-effects-use pattern. As a result, an attacker can mint the NFT and implement the hook within the _safeMint() function. Since the variable was not set, we can reenter the mintNFT function to create another one. Of course, this can be done as long as we can enough gas.

Overall, a fairly standard reentrancy vulnerability but fun to read about in 2022 none-the-less.