deluca-mike
commented
2 years ago Good catch on MAX_TOTAL_XDEFI_SUPPLY, it should be constant and is being removed because you are correct that it is useless given that XDEFI has a fixed supply.
Open code423n4 opened 2 years ago
deluca-mike
commented
2 years ago Good catch on MAX_TOTAL_XDEFI_SUPPLY, it should be constant and is being removed because you are correct that it is useless given that XDEFI has a fixed supply.
deluca-mike
commented
2 years ago You can see in the release candidate contract, that MAX_TOTAL_XDEFI_SUPPLY has been removed, and amount_ is not longer checked to be greater than zero or less than MAX_TOTAL_XDEFI_SUPPLY, but rather that resulting units are sufficient: https://github.com/XDeFi-tech/xdefi-distribution/blob/v1.0.0-rc.0/contracts/XDEFIDistribution.sol#L333
Ivshti
commented
2 years ago valid finding!
Handle
TomFrenchBlockchain
Vulnerability details
Impact
Extra gas costs of all locking operations.
Proof of Concept
XDEFIDistribution.sol stores the total supply of the XDEFI token:
https://github.com/XDeFi-tech/xdefi-distribution/blob/3856a42df295183b40c6eee89307308f196612fe/contracts/XDEFIDistribution.sol#L14
This is so that the amount being locked can be checked to be less than this on each call
https://github.com/XDeFi-tech/xdefi-distribution/blob/3856a42df295183b40c6eee89307308f196612fe/contracts/XDEFIDistribution.sol#L255
This is unnecessary as the XDEFI token has no external mint function and so has a fixed supply. It's then impossible for any user to supply more than 240M XDEFI in order to fail this check.
https://etherscan.io/address/0x72b886d09c117654ab7da13a14d603001de0b777#code
Recommended Mitigation Steps
Remove the unnecessary check on the total supply.