In MErc20DelegateFixer.sol, the function repayBadDebtWithCash
doesn't check amount
. Since we know it can be zero (it wouldn't change anything and user pays the gas for nothing).
The vulnerability lies in the function repayBadDebtWithCash
within the MErc20DelegateFixer.sol
contract. This function lacks a check for the amount
parameter, allowing it to be zero. As a result, users can execute the function with a zero amount, which would not alter the contract state but still incur gas costs to the user.
The impact of this vulnerability is primarily financial and operational. Users may unknowingly or intentionally call the repayBadDebtWithCash
function with a zero amount, expecting to repay debt but achieving no change in the contract state. However, they would still be charged transaction fees for gas usage. Over time, this could lead to unnecessary gas expenditure for users and potential frustration due to the lack of expected outcomes. Additionally, it could introduce inefficiencies in the contract's operation and undermine user trust in the system's functionality.
Manual Review
Consider adding a require amount>0
.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.