SignatureMint zero address check (#258)

* (C-1) mintWithSignature() front-running vulnerability

* (M-1) TokenERC20 charges price when quantity is 0

Author: kumaryash90

contracts/base/ERC1155SignatureMint.sol

@@ -69,14 +69,7 @@ contract ERC1155SignatureMint is ERC1155Base, PrimarySale, SignatureMintERC1155
         // Verify and process payload.
         signer = _processRequest(_req, _signature);
 
-        /**
-         *  Get receiver of tokens.
-         *
-         *  Note: If `_req.to == address(0)`, a `mintWithSignature` transaction sitting in the
-         *        mempool can be frontrun by copying the input data, since the minted tokens
-         *        will be sent to the `_msgSender()` in this case.
-         */
-        address receiver = _req.to == address(0) ? msg.sender : _req.to;
+        address receiver = _req.to;
 
         // Collect price
         collectPriceOnClaim(_req.primarySaleRecipient, _req.quantity, _req.currency, _req.pricePerToken);

contracts/base/ERC20SignatureMint.sol

@@ -55,14 +55,7 @@ contract ERC20SignatureMint is ERC20Base, PrimarySale, SignatureMintERC20 {
         // Verify and process payload.
         signer = _processRequest(_req, _signature);
 
-        /**
-         *  Get receiver of tokens.
-         *
-         *  Note: If `_req.to == address(0)`, a `mintWithSignature` transaction sitting in the
-         *        mempool can be frontrun by copying the input data, since the minted tokens
-         *        will be sent to the `_msgSender()` in this case.
-         */
-        address receiver = _req.to == address(0) ? msg.sender : _req.to;
+        address receiver = _req.to;
 
         // Collect price
         collectPriceOnClaim(_req.primarySaleRecipient, _req.quantity, _req.currency, _req.pricePerToken);

contracts/base/ERC721SignatureMint.sol

@@ -61,14 +61,7 @@ contract ERC721SignatureMint is ERC721Base, PrimarySale, SignatureMintERC721 {
         // Verify and process payload.
         signer = _processRequest(_req, _signature);
 
-        /**
-         *  Get receiver of tokens.
-         *
-         *  Note: If `_req.to == address(0)`, a `mintWithSignature` transaction sitting in the
-         *        mempool can be frontrun by copying the input data, since the minted tokens
-         *        will be sent to the `_msgSender()` in this case.
-         */
-        address receiver = _req.to == address(0) ? msg.sender : _req.to;
+        address receiver = _req.to;
 
         // Collect price
         collectPriceOnClaim(_req.primarySaleRecipient, _req.quantity, _req.currency, _req.pricePerToken);

contracts/extension/SignatureMintERC1155.sol

@@ -41,6 +41,8 @@ abstract contract SignatureMintERC1155 is EIP712, ISignatureMintERC1155 {
             _req.validityStartTimestamp <= block.timestamp && block.timestamp <= _req.validityEndTimestamp,
             "Request expired"
         );
+        require(_req.to != address(0), "recipient undefined");
+        require(_req.quantity > 0, "0 qty");
 
         minted[_req.uid] = true;
     }

contracts/extension/SignatureMintERC1155Upgradeable.sol

@@ -47,6 +47,8 @@ abstract contract SignatureMintERC1155Upgradeable is Initializable, EIP712Upgrad
             _req.validityStartTimestamp <= block.timestamp && block.timestamp <= _req.validityEndTimestamp,
             "Request expired"
         );
+        require(_req.to != address(0), "recipient undefined");
+        require(_req.quantity > 0, "0 qty");
 
         minted[_req.uid] = true;
     }

contracts/extension/SignatureMintERC20.sol

@@ -41,6 +41,8 @@ abstract contract SignatureMintERC20 is EIP712, ISignatureMintERC20 {
             _req.validityStartTimestamp <= block.timestamp && block.timestamp <= _req.validityEndTimestamp,
             "Request expired"
         );
+        require(_req.to != address(0), "recipient undefined");
+        require(_req.quantity > 0, "0 qty");
 
         minted[_req.uid] = true;
     }

contracts/extension/SignatureMintERC20Upgradeable.sol

@@ -47,6 +47,8 @@ abstract contract SignatureMintERC20Upgradeable is Initializable, EIP712Upgradea
             _req.validityStartTimestamp <= block.timestamp && block.timestamp <= _req.validityEndTimestamp,
             "Request expired"
         );
+        require(_req.to != address(0), "recipient undefined");
+        require(_req.quantity > 0, "0 qty");
 
         minted[_req.uid] = true;
     }

contracts/extension/SignatureMintERC721.sol

@@ -43,6 +43,8 @@ abstract contract SignatureMintERC721 is EIP712, ISignatureMintERC721 {
         if (_req.validityStartTimestamp > block.timestamp || block.timestamp > _req.validityEndTimestamp) {
             revert("Req expired");
         }
+        require(_req.to != address(0), "recipient undefined");
+        require(_req.quantity > 0, "0 qty");
 
         minted[_req.uid] = true;
     }

contracts/extension/SignatureMintERC721Upgradeable.sol

@@ -49,6 +49,8 @@ abstract contract SignatureMintERC721Upgradeable is Initializable, EIP712Upgrade
         if (_req.validityStartTimestamp > block.timestamp || block.timestamp > _req.validityEndTimestamp) {
             revert("Req expired");
         }
+        require(_req.to != address(0), "recipient undefined");
+        require(_req.quantity > 0, "0 qty");
 
         minted[_req.uid] = true;
     }

contracts/signature-drop/SignatureDrop.sol

@@ -190,14 +190,7 @@ contract SignatureDrop is
         // Verify and process payload.
         signer = _processRequest(_req, _signature);
 
-        /**
-         *  Get receiver of tokens.
-         *
-         *  Note: If `_req.to == address(0)`, a `mintWithSignature` transaction sitting in the
-         *        mempool can be frontrun by copying the input data, since the minted tokens
-         *        will be sent to the `_msgSender()` in this case.
-         */
-        address receiver = _req.to == address(0) ? _msgSender() : _req.to;
+        address receiver = _req.to;
 
         // Collect price
         collectPriceOnClaim(_req.primarySaleRecipient, _req.quantity, _req.currency, _req.pricePerToken);