Zaros Part 1
Zaros
DeFiFoundry
60,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Missing Input Validation in mint Function of USDToken Contract

kevinkkien

Summary

The mint function in the USDToken contract does not validate the recipient address (to) before minting new tokens. If the to address is the zero address (address(0)), the minted tokens will be lost permanently.

Vulnerability Details

The mint function allows the contract owner to create new tokens and assign them to a specified address. However, it does not include a check to ensure that the to address is not the zero address:

https://github.com/Cyfrin/2024-07-zaros/blob/main/src/usd/USDToken.sol#L17

If the to address is set to the zero address (either accidentally or maliciously), the minted tokens will be sent to an invalid address and become inaccessible. This results in a permanent loss of the minted tokens.

function mint(address to, uint256 amount) external onlyOwner {
_requireAmountNotZero(amount);
_mint(to, amount); // Missing check for to != address(0)
}

Impact

The contract owner could lose a significant amount of tokens if they are minted to the zero address.

Tools Used

Manual review

Recommendations

Add a require statement before the _mint call to ensure that the to address is not the zero address:

function mint(address to, uint256 amount) external onlyOwner {
_requireAmountNotZero(amount);
require(to != address(0), "Invalid recipient address"); // Add this check
_mint(to, amount);
}
Updates

Lead Judging Commences

inallhonesty Lead Judge
11 months ago
inallhonesty Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.