search

code-423n4 / 2022-06-infinity-findings

4 stars 0 forks source link

Missing zero value check can limit mint supply #197

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-06-infinity/blob/main/contracts/token/InfinityToken.sol#L46

Vulnerability details

Impact

A missing zero value check in the constructor for epochInflation argument allows EPOCH_INFLATION to be set to zero.

With EPOCH_INFLATION being 0, supplyToMint in advanceEpoch() will be 0, thus not making any changes to the TotalSupply and just limiting the total amount of tokens minted to the initial mint amount during contract construction.

Proof of Concept

  1. Contract is deployed with inputs but epochInflation parameter mistakenly was inputed as 0 and supply inputed is 250 million tokens
  2. Assume it's time to advance epoch and a user calls advanceEpoch()
  3. In advanceEpoch(), the local variable supplyToMint will be 0.
  4. there is no newly minted token. So totalSupply remains 250 million tokens.

Tools Used

Manual review

Recommended Mitigation Steps

A require() check would be necessary during contract construction.

HardlyDifficult commented 2 years ago

Since this is a constructor param, user input validation is not necessarily required. Lowering risk and merging with the warden's QA report https://github.com/code-423n4/2022-06-infinity-findings/issues/216