GivingThanks

First Flight #28

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

In the donate function, it is possible to send 0 ETH and mint an NFT token.

eth0x

Summary

The donate function is designed to allow users to donate Ether to a verified charity and receive an ERC721 (NFT) token as a form of acknowledgment or receipt for their donation. Here is possible to send 0 ETH and mint an NFT token.

Vulnerability Details

In the donate function, there is no validation for the amount of msg.value sent by the donator. As a result, it is possible to send 0 ETH and still mint an NFT token.

Impact

An unscrupulous donator could exploit the lack of validation for the donation amount, enabling them to mint an unlimited number of NFT tokens without contributing any actual value in Ether. This can undermine the integrity of the donation system and the incentives for genuine donations.

Tools Used

manual review

Recommendations

Please reconsider the protocol to prevent donations of 0 ETH.

Programisticly to prevent this, it's essential to add a validation check for msg.value in the donate function:

function donate(address charity) public payable {

require(registry.isVerified(charity), "Charity not verified");

require(msg.value > 0, "Donation must be greater than 0");

(bool sent,) = charity.call{value: msg.value}("");

require(sent, "Failed to send Ether");

_mint(msg.sender, tokenCounter);

// Create metadata for the tokenURI

string memory uri = _createTokenURI(msg.sender, block.timestamp, msg.value);

_setTokenURI(tokenCounter, uri);

tokenCounter += 1;

}

Updates

Lead Judging Commences

n0kto Lead Judge 9 months ago

Submission Judgement Published

Validated

Assigned finding tags:

finding-0-donation-mint-an-NFT

Likelyhood: Low, anyone can mint an NFT with 0 amount. No reason to do it. Impact: Informational/Very Low, NFT are minted to a false donator. An NFT with 0 in the amount section would be useless. Since that's a bad design and not expected, I'll consider it Low but in a real contest, it could be informational because there is no real impact.

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.