Name of the Vulnerable Software and Affected Versions Candy Machine V2

Description A problem with Candy Machine V2 allows minting NFTs to an arbitrary collection due to a missing check. The issue can be exploited through a specific transaction sequence, involving two instructions. The first instruction passes an initial check but can still enable the issue due to a bot tax. The second instruction mints an arbitrary NFT and adds it to a collection by checking the previous instruction, which was marked as Ok. This exploit can occur even if the Candy Machine is out of NFTs. The issue does not affect Candy Machine V3.

Recommendations For Candy Machine V2, the fix needs to be implemented in the set collection during mint function to check the current program ID, in addition to the previous program ID. As a temporary workaround, consider restricting the use of the set collection during mint function until a patch is available.