Algo Ssstablecoinsss

AI First Flight #2

Beginner FriendlyDeFi

EXP

View results

Previous Next

Submission Details

Impact: low

Likelihood: low

Invalid

[M-04] Missing Zero Amount Check in _burn_dsc Allows No-Op Burns

rensley

Root + Impact

Description

The _burn_dsc() function does not validate that amount_dsc_to_burn is greater than zero.
While _mint_dsc and _deposit_collateral have this check, burning zero tokens is allowed.
This can be used to manipulate events or perform no-op operations that waste gas and pollute logs.

// Root cause in the codebase with @> marks to highlight the relevant section

@internal

def _burn_dsc(

amount_dsc_to_burn: uint256, on_behalf_of: address, dsc_from: address

@> # Missing: assert amount_dsc_to_burn > 0

self.user_to_dsc_minted[on_behalf_of] -= amount_dsc_to_burn

extcall DSC.burn_from(dsc_from, amount_dsc_to_burn)

Risk

Likelihood: Low

Reason 1 // Requires intentional zero-value calls
Reason 2 // No direct financial loss

Impact: Low

Impact 1 // Gas wastage on no-op operations
Impact 2 // Potential for event spam
Impact 3 // Inconsistent validation across functions

Proof of Concept

The following demonstrates that zero-amount burns are accepted, unlike zero-amount mints which correctly revert. This inconsistency could be exploited to spam events or waste gas.

def test_zero_burn_allowed():

with boa.env.prank(user):

# Zero mint correctly reverts

with boa.reverts("DSCEngine__NeedsMoreThanZero"):

dsce.mint_dsc(0)

# But zero burn is allowed (inconsistent)

dsc.approve(dsce, 0)

dsce.burn_dsc(0) # No revert - wastes gas

Recommended Mitigation

Add a zero-amount check to _burn_dsc for consistency with other functions. This prevents no-op operations and ensures all state-changing functions validate their inputs.

@internal

def _burn_dsc(

amount_dsc_to_burn: uint256, on_behalf_of: address, dsc_from: address

+ assert amount_dsc_to_burn > 0, "DSCEngine__NeedsMoreThanZero"

self.user_to_dsc_minted[on_behalf_of] -= amount_dsc_to_burn

extcall DSC.burn_from(dsc_from, amount_dsc_to_burn)

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!