Function lacks validation for duplicate token symbols, risking unexpected token addresses and operational errors
Summary
The deployToken function in TokenFactory.sol lacks validation for duplicated token symbols.
Vulnerability Details
In the deployToken function, there is no validation to check whether a symbol has already been registered. If a user registers token A with symbol S, and another user deploys token B with the same symbol S, the token mapping from symbol S to token address will be overridden. Subsequently, if the original user triggers getTokenAddressFromSymbol within the same contract, the return value may differ from their expectations.
Impact
Users may receive unexpected token addresses, potentially causing issues such as minting a different token than intended (e.g., minting token B instead of token A).
Tools Used
Manual Review
Recommendations
To mitigate this issue, it is advised to validate the return value by checking whether the symbol has been registered before deploying a new token. Consider adding a validation statement at the beginning of the token deployment, such as require(s_tokenToAddress[symbol] != 0, "Symbol already registered"). This validation step will prevent the override of token symbols and ensure users receive the expected return values.
Lead Judging Commences
deployToken: non-unique symbol for tokens
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.