Bad Guys NFT

Step-by-step

1. Get whitelisted
2. Call the whitelist mint function with a high number of chosenAmount so you mint all available NFTs.

Detailed Description

The attacker claimed 400 NFTs in a single transaction. The mistake is in the WhiteListMint function, where anyone whitelisted can pass an arbitrary chosenAmount. The _numberMinted_ map is only updated after calling the function, so the require passes for any number on the first try.

    function WhiteListMint(bytes32[] calldata _merkleProof, uint256 chosenAmount)
        public
    {
        require(_numberMinted(msg.sender)<1, "Already Claimed");
        require(isPaused == false, "turn on minting");
        require(
            chosenAmount > 0,
            "Number Of Tokens Can Not Be Less Than Or Equal To 0"
        );
        require(
            totalSupply() + chosenAmount <= maxsupply - reserve,
            "all tokens have been minted"
        );
        bytes32 leaf = keccak256(abi.encodePacked(msg.sender));
        require(
            MerkleProof.verify(_merkleProof, rootHash, leaf),
            "Invalid Proof"
        );
        _safeMint(msg.sender, chosenAmount);
    }

Possible mitigations

• The chosenAmount parameter seems to be useless and would better be a constant of 1 if that was the intended usage.
• Otherwise, if it was intended to allow for more than one mint per accoutn, restrict the chosenAmount parameter.