Lack of input validation is found in functions `trickOrTreat` and `setTreatCost`.
Description: The contract does not adequately validate inputs, such as treat names in functions like trickOrTreat and setTreatCost. This can lead to unexpected behavior or errors.
-
Found in src/TrickOrTreat.sol Line: 48
function trickOrTreat(string memory _treatName) public payable nonReentrant { -
Found in src/TrickOrTreat.sol Line: 34
function setTreatCost(string memory _treatName, uint256 _cost) public onlyOwner {
Impact:
Invalid or malicious inputs can cause the contract to behave unpredictably or enter an unintended state.
May allow attackers to exploit the contract by passing unexpected inputs, potentially leading to loss of funds or denial of service.
Proof of Concept:
Scenario: A user calls trickOrTreat with a non-existent treat name.
Exploit: The function could proceed with incorrect logic or revert unexpectedly, affecting user experience and contract functionality.
Recommended Mitigation:
Implement checks to ensure inputs are valid and within expected ranges or formats.
Use require statements to enforce input constraints and provide informative error messages.
Conduct thorough testing with edge cases to ensure all inputs are handled correctly.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.