Possibility of a Treat Getting Lost in the Contract
Summary
There is a possibility that a treat can get lost in the contract and will be unsable.
Vulnerability Details
On line 50 the following statement exists: require(treat.cost > 0, "Treat cost not set."). This means that it may be possbile for a treat to be added that does not have a cost set. However, If the owner adds a treat to the contract but does not set a cost, the treat will be forever lost and will be unusable. This is beacuse of the following:
In
setTreatCost()a treat's cost can only be changed if it already had a set cost. This means that any treat added without an initial cost set, the owner will never be able to change its cost later.In
trickOrtreat()only treats that have a set cost can be trick or treated.
Impact
Any treat added without an initial cost set will never be able to be trick or treated, which means the owner will never be able to sell it and mint NFTs from it to make revenue.
Tools Used
Manual Review
Recommendations
In setTreatCost() replace line 44 with require(_cost) > 0. This will ensure that a treat with a previous unset cost will be able to be updated.
Appeal created
[invalid] Zero treat cost
The cost of the treat is set only by the owner (in the constructor, in addTreat and in setTreatCost). That means the cost of the treat will always be greater than zero.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.