{
  "schema_version": "1.4.0",
  "id": "GHSA-9v25-r5q2-2p6w",
  "modified": "2022-12-12T22:03:19Z",
  "published": "2022-12-12T22:03:19Z",
  "aliases": [],
  "summary": "Candy Machine Set Collection During Mint Missing Check",
  "details": "A problem with Candy Machine V2 allow minting NFTs to an arbitrary collection due to a missing check.\n\nHere is a description of the exploit:\nDetails:\nHere is the tx/ix to exploit:\nTransaction:\nIx 1: candy_machine v2, mint_nft, passing in empty metadata -1\nIx 2: custom handler, 0\n\t\tcpi A --> token_metadata create_metadata_account, creates NFT\n\t\tcpi B --> candy_machine v2, set_collection_during_mint\nIx 1 passes our first check for empty metadata, but eventually will hit a bot tax and return Ok.  We do have a CPI check in this function but even if we hit that or moved it to the top, it returns Ok as a bot tax and still enables the issue.\nIx 2, cpi A is Ok and mints an arbitrary NFT.\nIx 2, cpi B checks the previous instruction using index_relative_to_current-1.  This turns out to be Ix 1 which was Ok, so then your newly minted arbitrary NFT is successfully added to the collection.\nConclusion:\nCandy machine could be out of NFTs and it still works.  If the CM is closed, (we think?) it doesn't get to the check.\nThe fix needs to be in set_collection_during_mint that current program ID id candy_machine_v2.  It checks previous program ID but doesn't check current.\n\nNOTE: THIS DOES NOT AFFECT Cmv3\n",
  "severity": [],
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "mpl-candy-machine"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "4.5.0"
            },
            {
              "fixed": "4.5.1"
            }
          ]
        }
      ],
      "versions": [
        "4.5.0"
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/metaplex-foundation/metaplex-program-library/security/advisories/GHSA-9v25-r5q2-2p6w"
    },
    {
      "type": "WEB",
      "url": "https://github.com/metaplex-foundation/metaplex-program-library/commit/e6b3aff603ac06236bf77c2ec21ead93c6836dce"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/metaplex-foundation/metaplex-program-library"
    }
  ],
  "database_specific": {
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-12T22:03:19Z",
    "nvd_published_at": null
  }
}