Trick or Treat
First Flight #27
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing Zero Check in setTreatCost Function

i_atiq

Description

The setTreatCost function lacks a check to prevent setting a treat’s cost to zero. If the owner inadvertently sets a treat’s cost to zero, users will be unable to complete the trickOrTreat function due to a require check that treat.cost must be greater than zero. This effectively locks the treat, preventing any further minting of that treat and the owner would be unable to update its cost again due to the same check in setTreatCost.

Impact

Setting the cost to zero renders the treat inaccessible in trickOrTreat and prevents the owner from setting a valid non-zero cost in the future, effectively locking that treat indefinitely.

Recommended Mitigation

Add a zero check on the _cost parameter to prevent setting a treat’s cost to zero:

function setTreatCost(string memory _treatName, uint256 _cost) public onlyOwner {
require(treatList[_treatName].cost > 0, "Treat must cost something.");
+ require(_cost > 0, "Cost must be greater than zero.");
treatList[_treatName].cost = _cost;
}
Updates

Appeal created

bube Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[invalid] Zero treat cost

The cost of the treat is set only by the owner (in the constructor, in addTreat and in setTreatCost). That means the cost of the treat will always be greater than zero.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.