Trick or Treat
First Flight #27
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

TrickOrTreat::setTreatCost allows setting cost to 0 which will lead to DOS

eshumanohare_cyfrin

Summary

setTreatCostreverts if the current cost of the treat is 0, but does not check if the new cost is 0 or not. This prevents the owner from modifying the cost of the treat later on if mistakenly set 0.

function setTreatCost(string memory _treatName, uint256 _cost) public onlyOwner {
// @audit what if the new cost is 0, owner wont be able to change the cost then
require(treatList[_treatName].cost > 0, "Treat must cost something.");
treatList[_treatName].cost = _cost;
}

Vulnerability Details

The owner can mistakenly set the cost of the treat to be 0 and then will not be able to update it using setTreatCost. This will lead to a DOS for that specific treat.

Impact

Low

Likelihood - Low (Since the owner can only set the cost of the treat, it is highly unlikely that the owner will set it to 0)

Impact - Low (It will only effect that specific treat whose cost is 0)

Tools Used

Manual Review

Recommendations

function setTreatCost(string memory _treatName, uint256 _cost) public onlyOwner {
require(_cost > 0, "Treat's new cost must not be zero");
require(treatList[_treatName].cost > 0, "Treat must cost something.");
treatList[_treatName].cost = _cost;
}
Updates

Appeal created

bube Lead Judge 10 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

[invalid] Zero treat cost

The cost of the treat is set only by the owner (in the constructor, in addTreat and in setTreatCost). That means the cost of the treat will always be greater than zero.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.