Submission Details
Impact:
Likelihood:
Users Can Mint Zero Tokens – Wastes Gas, Inflates Total Transactions, and Pollutes State.
** Users Can Mint Zero Tokens – Wastes Gas, Inflates Total Transactions, and Pollutes State.**
Description
In BeatToken::mint() the user can mint with zero amount. The user use this function and spam which is waste of gas.
function mint(address to, uint256 amount) external { // @sudit check for amount 0.
require(msg.sender == festivalContract, "Only_Festival_Mint");
_mint(to, amount);
}
Risk Any malicious user can call this function and mint with zero amount
Likelihood:
-
Medium
It's unlikely a user would do this by accident, but a malicious actor could easily automate this.
Impact:
. Gas Waste / Griefing Risk:
An attacker could call mint(user, 0) repeatedly to:
Fill up the event logs with useless data.
Waste gas (not much, but non-zero).
Cause confusion in off-chain systems processing transfer events.
Proof of Concept
This test check that user can mint with zero amount. This is waste of gas.
function test_MintwithZeroValue() public {
beatToken.setFestivalContract(festivalContract);
vm.prank(festivalContract);
beatToken.mint(user, 0);
assertEq(beatToken.balanceOf(user), 0, "Minting zero value should not change balance");
assertEq(beatToken.totalSupply(), 0, "Total supply should remain zero after minting zero value");
}
Recommended Mitigation
use require which check amount greater than zero if amount is not greater than zero it reverts.
+ require(amount < 0, "Amount must be greater than zero");
Rewards breakdown
nSLOC
234This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.