mihailo-maksa
commented
3 months ago The reported issue regarding the lack of a check for to == address(0) in the _mint function has been reviewed. Here is our perspective:
- Intended Functionality: Minting shares to
address(0)is an intentional feature of the contract. These ghost shares are necessary for our system's operations and are used in specific scenarios to facilitate certain functionalities within the EthMultiVault protocol. - Inflation Attack Prevention: The primary purpose of minting shares to
address(0)is to prevent inflation attacks. By minting a small number of ghost shares, we ensure the integrity and stability of the vaults. - Insignificant Economic Impact: The value of these ghost shares is extremely small, amounting to less than $0.01 even if a million vaults are created. This minimal value ensures that the minting process does not present any economic problem or risk.
- Controlled Use Case: The minting to
address(0)is done in a controlled manner, ensuring that it does not lead to unintended side effects or security vulnerabilities. This approach allows us to manage the system's state and behavior more effectively.
In conclusion, while the absence of a to == address(0) check in the _mint function might appear unconventional, it is a deliberate design choice to support our protocol's requirements. The ghost shares serve a critical role in preventing inflation attacks and their negligible value ensures no economic risk. Therefore, we do not consider this a vulnerability but rather an integral part of our system's functionality. For this reason, the report is invalid.
Github username: @Jelev123 Twitter username: zhulien_zhelev Submission hash (on-chain): 0x9301ba90f4fe3974c6b8aa66c35875bc3945477aaabd2331306de9589ebb93c7 Severity: medium
Description: Description\ In _mint function is missing to check for
to == 0Attack Scenario\ Describe how the vulnerability can be exploited.
Attachments
Recommendation
Check
tofor address(0)