Incorrect Error Message in CrimeMoney Contract During Burn Operation
Summary
When a user attempts to burn CrimeMoney to receive USDC, they encounter an incorrect error message stating "CrimeMoney: only MoneyShelf can mint" instead of the expected "CrimeMoney: only MoneyShelf can burn". This misleads users and complicates troubleshooting and debugging efforts.
Vulnerability Details
Function: Burn CrimeMoney
Issue: Incorrect Error Message
The error message displayed when attempting to burn CrimeMoney incorrectly indicates a minting permission issue rather than a burning permission issue.
This inconsistency causes confusion for users and developers trying to resolve the issue.
Proof of Concept:
Burn CrimeMoney:
When a user calls the burn function, the contract throws an error with the message "CrimeMoney: only MoneyShelf can mint" instead of "CrimeMoney: only MoneyShelf can burn".
Impact
User Confusion: Users receive misleading error messages, making it difficult to understand the actual issue.
Debugging Difficulty: Developers face challenges in troubleshooting and resolving the error due to incorrect error messages.
Operational Inefficiency: The misleading error message can result in delays and inefficiencies in resolving user issues and maintaining the system.
Tools Used
Manual Review
Recommendations
Correct Error Messages: Update the error messages in the contract to accurately reflect the permission issue.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.