The Standard

DeFiHardhat

20,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Minting of new tokens from SmartVaultManagerV5 contract can be blocked

gkrastenov

Summary

Minting of new tokens from SmartVaultManagerV5 contract can be blocked.

Vulnerability Details

When a user mints a new token from the SmartVaultManagerV5 contract, the _safeMint function is called with the _afterTokenTransfer function. In this function, from = address(0), _to = msg.sender, and _tokenId = lastToken + 1;. Subsequently, the transferTokenId function of the smartVaultIndex contract is called.

smartVaultIndex.transferTokenId(_from, _to, _tokenId);

In the smartVaultIndex contract, during the minting process in the transferTokenId function, all tokenIds belonging to address(0) will be looped through.

Here is a code snippet from the deployed smartVaultIndex contract:

function removeTokenId(address _user, uint256 _tokenId) private {

// _user = address(0)

uint256[] memory currentIds = tokenIds[_user];

uint256 idsLength = currentIds.length;

delete tokenIds[_user];

for (uint256 i = 0; i < idsLength; i++) {

if (currentIds[i] != _tokenId) tokenIds[_user].push(currentIds[i]);

}

// _afterTokenTransfer(address(0), to, tokenId, 1); for mint

// _afterTokenTransfer(msg.sender, address(0), tokenId, 1); for burn

function transferTokenId(address _from, address _to, uint256 _tokenId) external onlyManager {

removeTokenId(_from, _tokenId);

tokenIds[_to].push(_tokenId);

}

The looping of tokenIds will be skipped at the beginning because address(0) will not have any tokens belonging to it.

If a user decides to burn their token, the _afterTokenTransfer function will be called with _from = msg.sender and _to = address(0), leading to the tokenId being transferred to address(0).

If many token IDs are burned,at some time it may lead to a DDoS on minting new tokens, as gas will be consumed during the looping of tokenIds for address(0) in the smartVaultIndex contract.

Impact

Minting of new tokens from SmartVaultManagerV5 contract will be blocked.

Tools Used

Manual Review

Recommendations

When a token is burned, transfer it to address(1).

Updates

Lead Judging Commences

hrishibhat Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

informational/invalid

Prize pool breakdown

Total prize

20,000 USDC

nSLOC

609

33 USDC / LOC

High Medium

17,500 USDC

Low

2,500 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.