The _mint function does not include explicit validation to prevent the receiver address from being set as the zero address. Here is the vulnerable code snippet:
In this code, the function allows _receiver to be any Ethereum address, including the zero address. When tokens are minted with the zero address as the receiver, they become irretrievable, leading to potential loss and disruption of contract functionality.
Impact
Tokens minted with the zero address as the receiver will not be associated with any identifiable account or entity. These tokens become permanently unrecoverable, which can lead to a loss of value and disrupt the expected ownership and tracking mechanisms within the contract.
Proof of Concept
_mint(address(0), 100);
Tools Used
manual
Recommended Mitigation Steps
Add explicit validation to ensure that the receiver address is not set as the zero address.
Lines of code
https://github.com/GenerationSoftware/pt-v5-vault/blob/b1deb5d494c25f885c34c83f014c8a855c5e2749/src/Vault.sol#L1122-L1127
Vulnerability details
The
_mint
function does not include explicit validation to prevent the receiver address from being set as the zero address. Here is the vulnerable code snippet:In this code, the function allows
_receiver
to be any Ethereum address, including the zero address. When tokens are minted with the zero address as the receiver, they become irretrievable, leading to potential loss and disruption of contract functionality.Impact
Tokens minted with the zero address as the receiver will not be associated with any identifiable account or entity. These tokens become permanently unrecoverable, which can lead to a loss of value and disrupt the expected ownership and tracking mechanisms within the contract.
Proof of Concept
Tools Used
manual
Recommended Mitigation Steps
Add explicit validation to ensure that the receiver address is not set as the zero address.
Assessed type
Other