SantiagoDevRel
commented
1 year ago Hi @Taneristique , thanks for submitting this issue. In this case, the access to mint this token and the total supply are not dangerous or represent a vulnerability because this is a test token on the testnet. Nevertheless, I appreciate you bringing this to our attention. Thank you
// SPDX-License-Identifier: UNLICENSED pragma solidity ^0.8.9;
import "@openzeppelin/contracts/token/ERC20/ERC20.sol";
contract TestToken is ERC20 { constructor()ERC20("Swisstronik","SWTR"){}
}
https://github.com/SigmaGmbH/swisstronik-tutorials/blob/1afd963619ecf3955e3f0f5a99f2e8807dec0a53/ERC20_interaction/contracts/Token.sol Since the amount of token supply has a critical role in the value of a token.The code above has a potentital of leading inflation because any person who knows its contract address can connect this contract and call mint100tokens() function multiple times to mint great amounts of SWTR since there is no any access authorization check.In this case totalSupply() increases dangerously. Even through, this is just a contract created for tutorial, it would be better to add some authorization check to ensure malicious actors cannot affect token supply. The following modification would improve the quality of tutorial and codebase:
// SPDX-License-Identifier: UNLICENSED pragma solidity ^0.8.9;
import "@openzeppelin/contracts/token/ERC20/ERC20.sol";
contract TestToken is ERC20 { address owner; constructor()ERC20("Swisstronik","SWTR"){ owner = msg.sender; } modifier onlyOwner{ require(msg.sender==owner,"Caller must be owner!"); _; } //only owner can mint tokens
function mint100tokens() public onlyOwner{ _mint(msg.sender,100 * 10 * 18); } function burn100tokens() public onlyOwner{ _burn(msg.sender,100 10 ** 18); }
}
Also using ownable.sol of openzeppelin library or solady can be considered, I put the links below : https://github.com/Vectorized/solady/blob/main/src/auth/Ownable.sol https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/access/Ownable.sol