Submission Details
Severity:
Lack of Input Validation
Summary
Several functions in the contract lack proper input validation, allowing potentially problematic values to be set.
Vulnerability Details
Location: src/TrickOrTreat.sol:addTreat(), src/TrickOrTreat.sol:setTreatCost()
Proof of Concept:
function testLackOfInputValidation() public {
// Test adding a treat with an empty name
vm.prank(owner);
spookySwap.addTreat("", 1 ether, "ipfs://metadata");
// Verify that the treat was added despite having an empty name
(, uint256 cost,) = spookySwap.treatList("");
assertEq(cost, 1 ether, "Treat with empty name should have been added");
// Test setting a treat cost to zero
vm.prank(owner);
spookySwap.setTreatCost("Candy", 0);
// Verify that the treat cost was set to zero
(, uint256 newCost,) = spookySwap.treatList("Candy");
assertEq(newCost, 0, "Treat cost should have been set to zero");
// Test adding a treat with an invalid URI
vm.prank(owner);
spookySwap.addTreat("InvalidURITreat", 1 ether, "not_a_valid_uri");
// Verify that the treat was added despite having an invalid URI
(, , string memory uri) = spookySwap.treatList("InvalidURITreat");
assertEq(uri, "not_a_valid_uri", "Treat with invalid URI should have been added");
}
Impact
This could lead to treats with empty names, zero costs, or invalid URIs being added to the contract, potentially causing unexpected behavior or confusion for users.
Tools Used
Forge
Recommendations
Implement proper input validation for all user-supplied inputs.
Rewards breakdown
nSLOC
109This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.