Submission Details
Severity:
User can spam pending NFT list by sending zero value with `trickOrTreat` function for trick scenario.
User can spam pending NFT list by sending zero value with trickOrTreat function for trick scenario.
Description:
If user can predict when trick scenario will occur, they can send zero value with the trickOrTreat function call and add the minted NFT to the pending list. Repeating this will lead to spamming of the pending list.
Recommended Mitigation:
As the function returns the excess funds, a check can be added in the beginning to allow value amounts greater than treat cost only.
function trickOrTreat(string memory _treatName) public payable nonReentrant {
Treat memory treat = treatList[_treatName];
require(treat.cost > 0, "Treat cost not set.");
+ require(msg.value >= treat.cost, "Insufficient value sent");
Updates
Appeal created
bube 10 months ago
Submission Judgement Published Reason: Non-acceptable severity
Assigned finding tags:
[invalid] Unlimited pending NFTs
The protocol can work correctly with more than 20000 tokens in it. It is informational.
Rewards breakdown
nSLOC
109This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.