Denial of Service via Unvalidated Pool Addresses and Zero Liquidity in UpliftOnlyExample Smart Contract
Summary
In the addLiquidityProportional function, there is no validation to ensure that the input amount is greater than zero or that the provided pool address as params is valid.
Vulnerability Details
An attacker can mint NFTs with input amount of 0 and use multiple invalid pool addresses, enabling a Denial of Service (DoS) attack.
Impact
It can prevent other users from minting NFTs.
Tools Used
Recommendations
In the addLiquidityProportional function, there must be a validation to ensure that the input amount is greater than 0 and that the provided pool address is valid.
Lead Judging Commences
Informational or Gas / Admin is trusted / Pool creation is trusted / User mistake / Suppositions
Please read the CodeHawks documentation to know which submissions are valid. If you disagree, provide a coded PoC and explain the real likelyhood and the detailed impact on the mainnet without any supposition (if, it could, etc) to prove your point.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.