Beatland Festival
First Flight #44
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: medium
Invalid

mint() Allows Minting to Zero Address

gurmeetkalyan

Root + Impact

Description:

Under normal ERC1155 behavior, minting tokens to a valid recipient address increases their balance.

However, the current implementation does not prevent minting to the zero address, which may result in:

  • Emitting events with misleading data.

  • Unexpected behavior in UIs or indexers.

  • Breaking assumptions in downstream contracts integrating this protocol.

function mint(address to, uint256 id, uint256 amount) public {
require(msg.sender == organizer, "Not organizer");
_mint(to, id, amount, "");
}

Root cause:

@> _mint(to, id, amount, ""); <@
// No check for zero address

Risk

Likelihood:

  • Occurs when the organizer mistakenly passes address(0) as the to address.

  • Can happen during test runs, front-end bugs, or incorrect backend integrations.

Impact:

  • Tokens are technically minted but irretrievable.

  • Can confuse analytics, token tracking systems, and reduce protocol transparency.

  • Event logs may imply a valid mint occurred when it effectively didn't.

Proof of Concept

festivalPass.mint(address(0), 0, 100);
// Will execute successfully and emit events, but funds are lost

Recommended Mitigation

function mint(address to, uint256 id, uint256 amount) public {
require(msg.sender == organizer, "Not organizer");
+ require(to != address(0), "Cannot mint to zero address");
_mint(to, id, amount, "");
}

This aligns with best practices in both ERC20 and ERC1155 implementations.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Zero address check

Owner/admin is trusted / Zero address check - Informational

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.