0xKartikgiri00 - The contract `RioLRT` allows the `RioLRTcoordinator` to mint 0 token.

[sherlock-admin]

0xKartikgiri00

medium

The contract RioLRT allows the RioLRTcoordinator to mint 0 token.

Summary

In the mint function of the RioLRT contract, there is no check to ensure that the mint amount is greater than zero. As a result, the coordinator can invoke the mint function with a zero amount, resulting in a transaction that consumes gas without any actual minting of tokens.

Vulnerability Detail

This vulnerability allows RioLRTcoordinator to mint 0 token. Which add unnecessary tx on blockchain, waste gas by invoking the mint function with zero mint amount.

Proof Of Concept

The below test case shows how coordinator can mint 0 token amount.

function test_mint() public {
        uint256 initialSupply = token.totalSupply();

        vm.prank(address(reETH.coordinator));
        token.mint(address(42), 0);
        console.log("Token balance of user is:", token.balanceOf(address(42)));
        assertEq(token.balanceOf(address(42)), 0);
    }

Output:-

[PASS] test_mint() (gas: 41524)
Logs:
  Token balance of user is: 0

Impact

This vulnerability allows the coordinator to waste gas by invoking the mint function with zero as the mint amount, leading to unnecessary transaction costs.

Code Snippet

https://github.com/sherlock-audit/2024-02-rio-network-core-protocol/blob/main/rio-sherlock-audit/contracts/restaking/RioLRT.sol#L55

Tool used

Manual Review, Foundry

Recommendation

Add a check in the mint function to ensure that the mint amount is greater than zero before proceeding with the minting operation.

 /// @notice Mint `amount` tokens to the specified address.
    /// @param to The address to mint tokens to.
    /// @param amount The amount of tokens to mint.
    function mint(address to, uint256 amount) external onlyCoordinator {
+       require(amount > 0, "Amount to mint must be greater than zero");
        _mint(to, amount);
    }

[nevillehuang]

Invalid, no impact will result out of minting 0 tokens.