OrderBook

First Flight #43

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

L - Mock Tokens - Non-Standard Mint Implementation Deviates from Best Practices

0xrektified

Root + Impact

Description

Mock tokens should follow real-world ERC20 patterns for accurate testing. Most production tokens mint their total supply in the constructor and use transfer functions for distribution, rather than having public mint functions with non-standard behavior.

The mock tokens implement a confusing mint function that automatically multiplies input values by decimals, which differs from both standard ERC20 behavior and production token patterns.

// Current problematic implementation

function mint(address to, uint256 value) public {

uint256 updateDecimals = uint256(tokenDecimals);

@> _mint(to, (value * 10 ** updateDecimals)); // Confusing: auto-multiplies by decimals

}

Risk

Likelihood:

Developers expect standard ERC20 behavior during testing
Integration teams may misunderstand token amounts due to the automatic multiplication

Impact:

Confusion during development when mint(1) creates 1e18 tokens
Test results that don't reflect real token distribution patterns
Potential integration errors due to unexpected behavior

Proof of Concept

function test_confusingMintBehavior() public {

// Developer calls mint(1) expecting 1 wei

weth.mint(alice, 1);

// But actually gets 1e18 wei (1 full token) due to automatic multiplication

assertEq(weth.balanceOf(alice), 1e18); // Confusing!

}

Recommended Mitigation

Follow standard ERC20 patterns used in production:

contract MockWETH is ERC20 {

constructor(uint8 _decimals) ERC20("Mock WETH", "WETH") {

tokenDecimals = _decimals;

+ _mint(msg.sender, 1_000_000 * 10 ** _decimals); // Mint total supply to deployer

}

- function mint(address to, uint256 value) public {

- uint256 updateDecimals = uint256(tokenDecimals);

- _mint(to, (value * 10 ** updateDecimals));

- }

}

Benefits:

Follows real-world token distribution patterns
Eliminates confusing automatic decimal multiplication
Makes test setup clearer: weth.transfer(alice, 1e18) instead of weth.mint(alice, 1)
Better represents how users actually receive tokens in production

Updates

Lead Judging Commences

yeahchibyke Lead Judge about 1 month ago

Submission Judgement Published

Invalidated

Reason: Out of scope

Rewards breakdown

nSLOC

217

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.