Submission Details
Severity:
function _burn() / buyPresent() causes arithmetic underflow_
Summary
buyPresent() function is used to trade tokens with NFTs.
function buyPresent(address presentReceiver) external {
i_santaToken.burn(presentReceiver);
_mintAndIncrement();
}
i_santaToken.burn(presentReceiver) function is used to burn the SantaToken and _mintAndIncrement()is used to mint an NFT.
Vulnerability Details
function burn(address from) external {
if (msg.sender != i_santasList) {
revert SantaToken__NotSantasList();
}
_burn(from, 1e18);
}
There is no logic in the burn function to prevent the user to check if the balance is less than the required amount of 1e18 SantaToken.
Impact
So even the balance is less than 1e18 the function goes through and causes arithmetic underflow.
function testNCTBuyPresentCausesArithmeticUnderFlow() public {
vm.startPrank(santa);
santasList.checkList(user, SantasList.Status.EXTRA_NICE);
santasList.checkTwice(user, SantasList.Status.EXTRA_NICE);
vm.stopPrank();
vm.warp(santasList.CHRISTMAS_2023_BLOCK_TIME() + 1);
vm.startPrank(user);
vm.expectRevert();
santasList.buyPresent(user);
vm.stopPrank();
}
Tools Used
foundry
manual code review
Recommendations
A balance check is required before calling the buyPresent() function to avoid arithmetic underflow
Rewards breakdown
nSLOC
116This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.