Trick or Treat

First Flight #27

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of Non-Zero Cost Validation in `setTreatCost` Function

jumpupjoran

summary

impact: medium
likelihood : low

The setTreatCost function in the SpookySwap contract does not validate that the new cost of a treat is non-zero.

function setTreatCost(string memory _treatName, uint256 _cost) public onlyOwner {

require(treatList[_treatName].cost > 0, "Treat must cost something.");

treatList[_treatName].cost = _cost;

}

This could allow the owner to unintentionally set a treat's cost to zero, which would make the treat unpurchasable due to the existing cost requirement in the trickOrTreat function.

function trickOrTreat(string memory _treatName) public payable nonReentrant {

Treat memory treat = treatList[_treatName];

require(treat.cost > 0, "Treat cost not set.");

Although this does not lead to free minting, it effectively locks the treat, making it impossible for users to acquire. And ultimatly ending the protocol to earn money with this specific NFT.

Impact

Setting a treat’s cost to zero does not allow free minting due to the trickOrTreat function’s cost requirement, but it does have the following implications:

Unintended Locking of Treats: Users cannot acquire a treat with a zero cost, effectively removing it from availability. (possibly driving up the price of the NFT due to scarcity)

Tools used

Mannual review

recommended mitigation

add an extra check:

function setTreatCost(string memory _treatName, uint256 _cost) public onlyOwner {

require(treatList[_treatName].cost > 0, "Treat must cost something.");

+ require(_cost > 0 , "new cost must be creater than 0");

treatList[_treatName].cost = _cost;

}

Updates

Appeal created

bube Lead Judge 10 months ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Assigned finding tags:

[invalid] Zero treat cost

The cost of the treat is set only by the owner (in the constructor, in addTreat and in setTreatCost). That means the cost of the treat will always be greater than zero.

Rewards breakdown

nSLOC

109

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.