Arbitrary minting of coins without depositing collaterals

KryptoniteDAO / krp-cdp-contracts

Kryptonite stable coin kUSD relevant contracts

0 stars 0 forks source link

Arbitrary minting of coins without depositing collaterals #2

Closed smithmonnnnnnn closed 10 months ago

smithmonnnnnnn commented 11 months ago

Description: In the mint_stable_coin function from central_pool contract, there is no validation that the info.sender is custody contract. As a consequence, anyone could call this function to mint coins to himself/herself without depositing collaterals. Code Location: krp-cdp-contracts/contracts/central_control/src/contract.rs#L512

smithmonnnnnnn commented 10 months ago

The mint_stable_coin function of the central contract will be called in two situations: the first situation is that the user mints kUSD while depositing collateral; the second situation is that the user can mint more kUSD if the collateral is sufficient; in the second situation In this case, we need to verify that the initiator of mint and minter have the same address.

smithmonnnnnnn commented 10 months ago

fixed