Potential DDoS Attack on the donate function
Summary
The donate function is designed to allow users to donate Ether to a verified charity and receive an ERC721 (NFT) token as a form of acknowledgment or receipt for their donation.
The donate function is susceptible to a Denial of Service (DoS) attack due to the lack of validation on the msg.value parameter.
Vulnerability Details
In the function is not valdiation for amount sended by donator and an attacker can repeatedly call the donate function with 0 ETH, which would still allow them to mint an NFT token. This can flood the contract with unnecessary transactions, consuming gas.
Impact
The repeated transactions can lead to network congestion, increasing gas prices and slowing down the network. The contract’s resources can be exhausted, making it difficult for legitimate users to interact with the contract.
Tools Used
manual review
Recommendations
The line require(msg.value > 0, "Donation must be greater than 0"); ensures that only transactions with a positive donation amount proceed, preventing the minting of NFTs for zero Ether and DDOS attacks.
Lead Judging Commences
finding-0-donation-mint-an-NFT
Likelyhood: Low, anyone can mint an NFT with 0 amount. No reason to do it. Impact: Informational/Very Low, NFT are minted to a false donator. An NFT with 0 in the amount section would be useless. Since that's a bad design and not expected, I'll consider it Low but in a real contest, it could be informational because there is no real impact.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.