A missing zero value check in the constructor for epochInflation argument allows EPOCH_INFLATION to be set to zero.
With EPOCH_INFLATION being 0, supplyToMint in advanceEpoch() will be 0, thus not making any changes to the TotalSupply and just limiting the total amount of tokens minted to the initial mint amount during contract construction.
Proof of Concept
Contract is deployed with inputs but epochInflation parameter mistakenly was inputed as 0 and supply inputed is 250 million tokens
Assume it's time to advance epoch and a user calls advanceEpoch()
In advanceEpoch(), the local variable supplyToMint will be 0.
there is no newly minted token. So totalSupply remains 250 million tokens.
Tools Used
Manual review
Recommended Mitigation Steps
A require() check would be necessary during contract construction.
Lines of code
https://github.com/code-423n4/2022-06-infinity/blob/main/contracts/token/InfinityToken.sol#L46
Vulnerability details
Impact
A missing zero value check in the constructor for
epochInflation
argument allowsEPOCH_INFLATION
to be set to zero.With EPOCH_INFLATION being 0,
supplyToMint
inadvanceEpoch()
will be 0, thus not making any changes to the TotalSupply and just limiting the total amount of tokens minted to the initial mint amount during contract construction.Proof of Concept
epochInflation
parameter mistakenly was inputed as 0 and supply inputed is 250 million tokensadvanceEpoch()
supplyToMint
will be 0.Tools Used
Manual review
Recommended Mitigation Steps
A require() check would be necessary during contract construction.