Candy Machine Set Collection During Mint Missing Check
A problem with Candy Machine V2 allow minting NFTs to an arbitrary collection due to a missing check. Here is a description of the exploit: Details: Here is the tx/ix to exploit: Transaction: Ix 1: candy_machine v2, mint_nft, passing in empty metadata -1 Ix 2: custom handler, 0 cpi A –> token_metadata create_metadata_account, creates NFT cpi B –> candy_machine v2, set_collection_during_mint Ix 1 passes our first check for empty metadata, …