Liquid Staking

Stakelink

DeFiHardhatOracle

50,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

TokenOwnership mapping in contract stakedotlinkCouncil

viquetoh

Summary: The `mapping(address => uint256) public tokenOwned` allows each address to have only one token associated with it.

This means that, if the address should mint a second token the first token is overwritten;

Vulnerability Details:

contract StakedotlinkCouncil is Ownable {

// Event that is emitted when a new stakedotlinkCouncil token is minted

event Mint(uint256 indexed tokenId, address to);

// Event that is emitted when an existing stakedotlinkCouncil token is burned

event Burn(uint256 indexed tokenId);

// Event that is emitted when an existing stakedotlinkCouncil token is Transferred

event Transfer(address indexed from, address indexed to, uint256 indexed tokenId);

// Event that is emitted when an existing stakedotlinkCouncil token's uri is altered

event TokenURISet(uint256 tokenId, string tokenURI);

// Array of token ids

uint256[] public tokens;

// Map between an owner and their tokens

mapping(address => uint256) public tokenOwned;

// Maps a token to the owner address

Impact:

This mapping(address => uint256) public tokenOwned allows only one token ID associated with it. This means that if a user is to mint a second token the first is overwritten.

This could probably lead to data inconsistency. If a user should own multiple tokens the for example(Token ID1 and Token ID2) the mapping would behave like this:

tokenOwned[owner] = 1;

when the mint token ID2

tokenOwned[owner] = 2;

meaning that the mapping doesn't maintain information about all tokens owned by the address.
The owner would only have the last minted token ID stored.

Tools Used:

Recommendations:

Using a mapping like this mapping of address => uint256[] is a better way to track ownership when a user can own multiple tokens.
instead of this:

mapping(address => uint256) public tokenOwned

use this:

mapping(address => uint256[]) public tokenOwned;

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Prize pool breakdown

Total prize

50,000 USDC

nSLOC

2,530

20 USDC / LOC

High Medium

42,000 USDC

Low

4,250 USDC

Judges

3,750 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.