Open hats-bug-reporter[bot] opened 3 months ago
The reported issue regarding the lack of a check for to == address(0)
in the _mint
function has been reviewed. Here is our perspective:
address(0)
is an intentional feature of the contract. These ghost shares are necessary for our system's operations and are used in specific scenarios to facilitate certain functionalities within the EthMultiVault protocol.address(0)
is to prevent inflation attacks. By minting a small number of ghost shares, we ensure the integrity and stability of the vaults.address(0)
is done in a controlled manner, ensuring that it does not lead to unintended side effects or security vulnerabilities. This approach allows us to manage the system's state and behavior more effectively.In conclusion, while the absence of a to == address(0)
check in the _mint
function might appear unconventional, it is a deliberate design choice to support our protocol's requirements. The ghost shares serve a critical role in preventing inflation attacks and their negligible value ensures no economic risk. Therefore, we do not consider this a vulnerability but rather an integral part of our system's functionality. For this reason, the report is invalid.
Github username: @Jelev123 Twitter username: zhulien_zhelev Submission hash (on-chain): 0x9301ba90f4fe3974c6b8aa66c35875bc3945477aaabd2331306de9589ebb93c7 Severity: medium
Description: Description\ In _mint function is missing to check for
to == 0
Attack Scenario\ Describe how the vulnerability can be exploited.
Attachments
Recommendation
Check
to
for address(0)