timelockMint
In TimelockRewardDistributionTokenImpl
Does Not Ensure Mint Is Greater Than Zero
#64
Labels
1 (Low Risk)
Assets are not at risk. State handling, function incorrect as to spec, issues with comments
bug
Something isn't working
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Handle
leastwood
Vulnerability details
Impact
The
timelockMint
function attempts to mint a token amount via some timelock period. However, minting anamount = 0
will cause the caller's tokens to be timelocked again.Proof of Concept
https://github.com/code-423n4/2021-12-nftx/blob/main/nftx-protocol-v2/contracts/solidity/token/TimelockRewardDistributionTokenImpl.sol#L100-L105
Tools Used
Manual code review.
Recommended Mitigation Steps
Consider disallowing
amount = 0
from being used intimelockMint
. The followingrequire
statement can be used to enforce this behaviour.The text was updated successfully, but these errors were encountered: