search
Active Boosts

57804 sc insight unbounded percentages cause underflow and dos in mint payment flow

Submitted on Oct 29th 2025 at 00:31:01 UTC by @Rhaydden for Audit Comp | Belongarrow-up-right

  • Report ID: #57804

  • Report Type: Smart Contract

  • Report severity: Insight

  • Target: https://github.com/immunefi-team/audit-comp-belong/blob/feat/cairo/src/nftfactory/nftfactory.cairohttps://github.com/immunefi-team/audit-comp-belong/blob/feat/cairo/src/nftfactory/nftfactory.cairo

  • Impacts:

    • Temporary freezing of funds for at least 24 hour

hashtag
Description

hashtag
Issue description

The factory allows setting unbounded platform_commission and referral percentages. These values are later used to compute fees and splits during mint. If they exceed the denominators, it underflows at runtime and the transaction reverts, causing a DoS on minting.

There's no upper bound on platform_commission in factory setters as seen here: https://github.com/immunefi-team/audit-comp-belong//blob/a17f775dcc4c125704ce85d4e18b744daece65af/src/nftfactory/nftfactory.cairo#L442-L449

fn _set_factory_parameters(ref self: ContractState, factory_parameters: FactoryParameters) {
    assert(factory_parameters.signer.is_non_zero(), super::Errors::ZERO_ADDRESS);
    assert(factory_parameters.platform_address.is_non_zero(), super::Errors::ZERO_ADDRESS);
    assert(
        factory_parameters.platform_commission.is_non_zero(), super::Errors::ZERO_AMOUNT,
    );
    self.factory_parameters.write(factory_parameters);
}

Also there's no upper bound on referral percentage entries.

These are the underflow points in the NFT payment flow: https://github.com/immunefi-team/audit-comp-belong//blob/a17f775dcc4c125704ce85d4e18b744daece65af/src/nft/nft.cairo#L417-L436

  • Setting platform_commission above DefaultConfig::FEE_DENOMINATOR will make fees > price and cause underflow on price - fees in _check_price.

  • Setting a referral percentage entry above SKALING_FACTOR will make referral_fees > fees and cause underflow on fees - referral_fees in _pay.

hashtag
Impact

Deterministic reverts in mint functions due to underflow in price - fees or fees - referral_fees. This prevents users from minting NFTs.

circle-exclamation

High - Temporary freezing of NFTs for at least 24 hours

hashtag
Recommended mitigation steps

  • In _set_factory_parameters, enforce:

    • 0 < platform_commission <= DefaultConfig::FEE_DENOMINATOR

  • In _set_referral_percentages, enforce for each entry:

    • 0 <= percentages[i] <= SKALING_FACTOR (10000)

circle-info

Validate inputs at the point of setting factory parameters and referral percentages so runtime arithmetic cannot underflow during mint/payment flows.

hashtag
Proof of Concept

hashtag
Proof of concept description

Two starknet foundry tests demonstrate the underflow and expected revert.

Attach this PoC to test_nft.cairo:

Due to compatibility issues, paste this in the scarb.toml file:

Run test with:

chevron-rightLogshashtag
Previous57583 sc low promoter bounty bait and switch via updatevenuerulesNext57854 sc medium front running attack allows collection ownership theft

Was this helpful?