Core Contracts

Regnum Aurum Acquisition Corp

HardhatReal World AssetsNFT

77,280 USDC

View results

Previous Next

Submission Details

Severity: medium

Invalid

Denial of Service (DoS) in NFTLiquidator::liquidateNFT due to Missing Access Control in IndexToken::mint

zebra

Summary

The IndexToken::mint function lacks access control, allowing an attacker to mint uint256.max tokens, permanently blocking further minting and disabling NFTLiquidator::liquidateNFT.

Vulnerability Details

The IndexToken::mint function lacks proper access control, allowing anyone to mint an unlimited supply of IndexToken. While an ERC-20 token’s totalSupply cannot exceed uint256.max, an attacker can mint a large amount of tokens, reaching this limit. Since IndexToken is not burnable, once the supply is maxed out, no further tokens can be minted.

This results in a permanent denial-of-service (DoS) for the NFTLiquidator::liquidateNFT function, which likely depends on the ability to mint new IndexToken, making liquidation operations completely blocked.

Impact

Attacker can block the NFTLiquidator::liquidateNFT function permanently.

Tools Used

Proof of Concepts

Create a new test file at test/unit/core/tokens/IndexToken.test.js, and add the following code.

import { expect } from "chai";

import hre from "hardhat";

const { ethers, network } = hre;

describe("IndexToken", function () {

let indexToken;

let owner;

it("indexToken Mint DOS", async function () {

let attacker;

[owner, attacker] = await ethers.getSigners();

const IndexTokenFactory = await ethers.getContractFactory("IndexToken");

indexToken = await IndexTokenFactory.deploy("IndexToken", "IT");

await indexToken

.connect(attacker)

.mint(attacker.address, ethers.MaxUint256);

// raise Arithmetic operation overflowed error

await indexToken.connect(owner).mint(owner.address, 1);

});

Run

npx hardhat test --grep "indexToken Mint DOS"

Recommendations

only allow trusted addresses to mint the IndexToken

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Prize pool breakdown

Total prize

77,280 USDC

nSLOC

3,864

20 USDC / LOC

High Medium

74,000

Low

3,280

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.