search
Active Boosts

57255 sc low allowed minting of nfts after collection expiry date

Submitted on Oct 24th 2025 at 18:34:43 UTC by @chinepun for Audit Comp | Belongarrow-up-right

  • Report ID: #57255

  • Report Type: Smart Contract

  • Report severity: Low

  • Target: https://github.com/immunefi-team/audit-comp-belong/blob/feat/cairo/src/nft/nft.cairohttps://github.com/immunefi-team/audit-comp-belong/blob/feat/cairo/src/nft/nft.cairo

  • Impacts:

    • Unauthorized minting of NFTs

hashtag
Description

hashtag
Brief / Intro

The smart contract allows anyone to mint tokens after the NFT collection's expiry timestamp has passed. In other words, users can still mint tokens after the configured expiration timestamp.

hashtag
Vulnerability Details

The NftParameters structure contains a field collection_expires which tracks the expiration timestamp for the NFT collection. See:

  • NftParameters: https://github.com/immunefi-team/audit-comp-belong/blob/feat/cairo/src/nft/interface.cairo#L3-L17

  • collection_expires field: https://github.com/immunefi-team/audit-comp-belong/blob/0cbcde6fd80dbc55a9e3403c8e5a74827dea19e2/src/nft/interface.cairo#L14

However, during minting (via _mint_static_price_batch or _mint_dynamic_price_batch), the _base_mint function does not check whether the collection has expired before minting:

  • Minting flow: https://github.com/immunefi-team/audit-comp-belong/blob/feat/cairo/src/nft/nft.cairo#L386-L401

  • _mint_static_price_batch: https://github.com/immunefi-team/audit-comp-belong/blob/feat/cairo/src/nft/nft.cairo#L328-L384

  • _mint_dynamic_price_batch: https://github.com/immunefi-team/audit-comp-belong/blob/feat/cairo/src/nft/nft.cairo#L279-L326

  • _base_mint: https://github.com/immunefi-team/audit-comp-belong/blob/0cbcde6fd80dbc55a9e3403c8e5a74827dea19e2/src/nft/nft.cairo#L386C12-L386C22

Excerpt from _base_mint (no expiration check):

As shown, _base_mint validates total supply but does not verify collection_expires before performing the mint.

hashtag
Impact Details

Because expiration is not enforced, NFTs can be minted after the intended expiration date. This may allow continuous minting until max_total_supply is reached, potentially crashing the collection's market price or allowing unauthorized minting beyond the intended sale period.

hashtag
References

  • Relevant mint logic: https://github.com/immunefi-team/audit-comp-belong/blob/feat/cairo/src/nft/nft.cairo#L386-L401

hashtag
Proof of Concept

The repository already contains tests covering mint behavior: https://github.com/immunefi-team/audit-comp-belong/blob/feat/cairo/src/tests/test_nft.cairo#L508-L574

You can reproduce the issue by changing the collection expiry used in tests to an expired timestamp (0) and running the test. The test still passes, demonstrating minting occurs despite an expired collection.

1

hashtag
Step: Modify test to set collection_expires to 0

Edit src/tests/test_nft.cairo to set collection_expires: 0:

2

hashtag
Step: Run the specific test

Run the test:

3

hashtag
Step: Observe passing test (minting despite expiry)

Expected test output shows the mint succeeded even though the collection expiry was set to 0 (expired):

This demonstrates NFTs were minted although collection_expires was set to an expired timestamp.

hashtag
Recommendations (not prescriptive)

  • Add a check in the minting flow (e.g., in _base_mint or the public mint wrapper functions) that asserts the current timestamp is less than or equal to collection_expires before proceeding to mint.

  • Ensure unit tests include cases that verify minting reverts when collection_expires is in the past.

(Note: recommendations are general guidance based on the reported behavior; they do not add new information beyond the report.)

Previous57895 sc medium lack of msg sender validation in collection creation signature enables front running attack leading to creator impersonationNext57650 sc low wrapped native token routing can fail without full validation

Was this helpful?