{"id":"GHSA-9v25-r5q2-2p6w","summary":"Candy Machine Set Collection During Mint Missing Check","details":"A problem with Candy Machine V2 allow minting NFTs to an arbitrary collection due to a missing check.\n\nHere is a description of the exploit:\nDetails:\nHere is the tx/ix to exploit:\nTransaction:\nIx 1: candy_machine v2, mint_nft, passing in empty metadata -1\nIx 2: custom handler, 0\n\t\tcpi A --\u003e token_metadata create_metadata_account, creates NFT\n\t\tcpi B --\u003e candy_machine v2, set_collection_during_mint\nIx 1 passes our first check for empty metadata, but eventually will hit a bot tax and return Ok.  We do have a CPI check in this function but even if we hit that or moved it to the top, it returns Ok as a bot tax and still enables the issue.\nIx 2, cpi A is Ok and mints an arbitrary NFT.\nIx 2, cpi B checks the previous instruction using index_relative_to_current-1.  This turns out to be Ix 1 which was Ok, so then your newly minted arbitrary NFT is successfully added to the collection.\nConclusion:\nCandy machine could be out of NFTs and it still works.  If the CM is closed, (we think?) it doesn't get to the check.\nThe fix needs to be in set_collection_during_mint that current program ID id candy_machine_v2.  It checks previous program ID but doesn't check current.\n\nNOTE: THIS DOES NOT AFFECT Cmv3\n","modified":"2022-12-12T22:03:19Z","published":"2022-12-12T22:03:19Z","database_specific":{"nvd_published_at":null,"cwe_ids":[],"severity":"MODERATE","github_reviewed":true,"github_reviewed_at":"2022-12-12T22:03:19Z"},"references":[{"type":"WEB","url":"https://github.com/metaplex-foundation/metaplex-program-library/security/advisories/GHSA-9v25-r5q2-2p6w"},{"type":"WEB","url":"https://github.com/metaplex-foundation/metaplex-program-library/commit/e6b3aff603ac06236bf77c2ec21ead93c6836dce"},{"type":"PACKAGE","url":"https://github.com/metaplex-foundation/metaplex-program-library"}],"affected":[{"package":{"name":"mpl-candy-machine","ecosystem":"crates.io","purl":"pkg:cargo/mpl-candy-machine"},"ranges":[{"type":"SEMVER","events":[{"introduced":"4.5.0"},{"fixed":"4.5.1"}]}],"versions":["4.5.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-9v25-r5q2-2p6w/GHSA-9v25-r5q2-2p6w.json"}}],"schema_version":"1.7.3"}