search

sherlock-audit / 2023-10-looksrare-judging

6 stars 6 forks source link

cheatc0d3 - Missing zero address check for 'to' address #114

Closed sherlock-admin closed 1 year ago

sherlock-admin commented 1 year ago

cheatc0d3

high

Missing zero address check for 'to' address

Summary

Upon manual review of the premint function in the smart contract, it was found that the function is a missing validation check for the zero address, which is a common best practice in smart contract development to prevent tokens from being minted to an address that cannot participate in the network. https://github.com/sherlock-audit/2023-10-looksrare/blob/main/contracts-infiltration/contracts/Infiltration.sol#L449

Vulnerability Detail

The function lacks a check to prevent minting to the zero address (address(0)). This could lead to a situation where tokens are minted to an unusable address, effectively locking them and reducing the circulating supply in a way that is not recoverable.

Impact

If tokens are minted to the zero address, those tokens are permanently lost and reduce the total circulating supply of the token.

Code Snippet

Original function

function premint(address to, uint256 quantity) external payable onlyOwner {
    if (quantity * PRICE != msg.value) {
        revert InsufficientNativeTokensSupplied();
    }

    if (totalSupply() + quantity > MAX_SUPPLY) {
        revert ExceededTotalSupply();
    }

    if (gameInfo.currentRoundId != 0) {
        revert GameAlreadyBegun();
    }

    _mintERC2309(to, quantity);
}

Optimized code:

function premint(address to, uint256 quantity) external payable onlyOwner {
    require(to != address(0), "Cannot mint to zero address");
    require(quantity * PRICE == msg.value, "Insufficient native tokens supplied");

    if (totalSupply() + quantity > MAX_SUPPLY) {
        revert ExceededTotalSupply();
    }

    if (gameInfo.currentRoundId != 0) {
        revert GameAlreadyBegun();
    }

    _mintERC2309(to, quantity);
}

Tool used

Manual Review

Recommendation

require(to != address(0), "Cannot mint to zero address");

Adding this line will prevent the function from executing if the to address is the zero address, thus preventing the accidental burning of tokens.

nevillehuang commented 1 year ago

Invalid according to sherlock guidelines

  1. Zero address checks: Check to make sure input values are not zero addresses.