I think that during the ICO period anyone can call Premium contract mint method specifying the desired owner address and the amount of tokens to mint, because the check in mint function is not correct:
require( msg.sender == icoAddr || isICO );
should be && instead of ||
Additionally the private _mint method does not have checks on the caller.
Does this qualify for the bounty as a Critical bug (since it allows unauthorized creation of Premium tokens) ?
I think that during the ICO period anyone can call Premium contract mint method specifying the desired owner address and the amount of tokens to mint, because the check in mint function is not correct:
should be && instead of ||
Additionally the private _mint method does not have checks on the caller.
Does this qualify for the bounty as a Critical bug (since it allows unauthorized creation of Premium tokens) ?