Closed sherlock-admin2 closed 1 month ago
A zero conversion rate is assumed not to be set. From the contest readme: "Governance configurations are assumed to be set with extreme care. Lack of sanity check issues are not viable submissions." and: "Deployment of the contracts is assumed to be done with special care taken that all contracts have been deployed correctly."
cryptphi
Medium
User would lose funds when rate is zero
Summary
The missing zero value check in the constructor of MkrNgt contract can lead to a situation where rate state variable is set to zero during deployment. This can then lead to users losing their mkr funds when calling
MkrNgt.mkrToNgt()
where the mkr token is burned but the user does get any ngt minted to their account.Root Cause
In MkrNgt.sol:38 there is a missing zero value check in the constructor to ensure that
rate_
parameter is not zero.When
rate_
is zero, any user with mkr token calling the`MkrNgt.mkrToNgt()
will be minted zero ngt tokens while getting their mkr burned sinceuint256 ngtAmt == 0
(MkrNgt.sol:43
) - https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/ngt/src/MkrNgt.sol#L42-L44Internal pre-conditions
rate_
parameter is zero during deployment of MkrNgt contract.External pre-conditions
No response
Attack Path
No response
Impact
PoC
Mitigation
Add a require check to ensure that
rate_
parameter is non-zero value.