The smart contract has a critical security flaw regarding the diamond address. If not addressed, this flaw leads to unauthorized access to important functions.
In the contract, there's a variable called diamond that's supposed to restrict access to essential functions: "mint" and "burnFrom." However, the contract doesn't check during setup if the diamond address is valid.
If an attacker sets diamond to zero:
Anyone can create new tokens (mint) or destroy existing ones (burnFrom).
This could lead to unauthorized changes to the contract, financial losses, and chaos.
Manually
{
require(diamondAddr != address(0), "Diamond address cannot be the zero address");
diamond = diamondAddr;
}
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.