Open code423n4 opened 2 years ago
Good catch on MAX_TOTAL_XDEFI_SUPPLY
, it should be constant
and is being removed because you are correct that it is useless given that XDEFI
has a fixed supply.
You can see in the release candidate contract, that MAX_TOTAL_XDEFI_SUPPLY
has been removed, and amount_
is not longer checked to be greater than zero or less than MAX_TOTAL_XDEFI_SUPPLY
, but rather that resulting units
are sufficient: https://github.com/XDeFi-tech/xdefi-distribution/blob/v1.0.0-rc.0/contracts/XDEFIDistribution.sol#L333
valid finding!
Handle
TomFrenchBlockchain
Vulnerability details
Impact
Extra gas costs of all locking operations.
Proof of Concept
XDEFIDistribution.sol stores the total supply of the XDEFI token:
https://github.com/XDeFi-tech/xdefi-distribution/blob/3856a42df295183b40c6eee89307308f196612fe/contracts/XDEFIDistribution.sol#L14
This is so that the amount being locked can be checked to be less than this on each call
https://github.com/XDeFi-tech/xdefi-distribution/blob/3856a42df295183b40c6eee89307308f196612fe/contracts/XDEFIDistribution.sol#L255
This is unnecessary as the XDEFI token has no external mint function and so has a fixed supply. It's then impossible for any user to supply more than 240M XDEFI in order to fail this check.
https://etherscan.io/address/0x72b886d09c117654ab7da13a14d603001de0b777#code
Recommended Mitigation Steps
Remove the unnecessary check on the total supply.