search

MinaFoundation / mina-fungible-token

https://minafoundation.github.io/mina-fungible-token/
Apache License 2.0
18 stars 8 forks source link

access permissions allows token deployer to mint tokens #81

Closed kantp closed 2 months ago

kantp commented 3 months ago

Since access permissions are (by default) set to proofOrSignature, an owner may attach arbitrary account balance updates beneath an AccountUpdate to the deployed smart contract which does not require proof authorization, e.g. a nop AccountUpdate or a receive AcccountUpdate.

Impact

  1. The amount of trust placed in the token deployer is (by default) total. Signature access permissions are required for other signature-authorized permissions like upgrading, setting permissions, or setting the URI in the default smart contract permissions. While the owner is already a privileged actor by default, this is an important action they can perform which may be unexpected to users of the token.
  2. Whenever someone upgrades a token contract to be “non-upgradeable,” users must check that the owner set access permissions to proof only.

Recommendation

Document this possibility clearly in the token contract, on the permissions documentation, and on the documentation of the “approve” function.

Consider changing the default behavior to upgrading/changing permissions via a check with the admin contract, and defaulting smart contract access permissions to proof-only.

kantp commented 2 months ago

As part of #99, we set the access permission on the token contract to proof. We also set setPermissions = impossible, and point out that users of the token should check those permissions.