Summary

The mint function in StETHMock contract lacks comprehensive input validation. While it checks if the _amount is too big, it does not explicitly check for non-zero amounts. Minting zero shares could be a pointless operation that still costs gas.

Vulnerability Details

In the StETHMock contract, the mint function is designed to create new shares and increase the total pooled Ether.

The function includes a check to ensure that the _amount being minted does not exceed a certain limit (1000 * (10 ** decimals())). However, it does not explicitly check that _amount is greater than zero. This means that it is possible to call the mint function with an _amount of zero, which would execute the function without actually changing the state of the contract's balances or shares.

Impact

Executing a function with a zero amount is generally considered a waste of gas, as it consumes network resources without achieving any meaningful result. In a production environment, this could be exploited by an attacker to waste the contract owner's funds by repeatedly calling mint with a zero amount, causing unnecessary gas fees.

Tools Used

Manual Review

Recommendations

The contract should include a check to ensure that the _amount is greater than zero before proceeding with the minting process. This can be done by adding a require statement like this:

Adding this check would ensure that the minting function cannot be called with a zero amount, thus preventing the pointless consumption of gas and protecting the contract from potential denial-of-service attacks that exploit this oversight.