event Mint(uint indexed index, address indexed minter, uint createdVia);
I assume parameter named 'minter' should indicate the address that minted the token, not the recipient, however, when this event is emitted it uses _to which is not always the case, e.g. when _mint is invoked from devMint, the minter is the deployer.
Recommended Mitigation Steps
Solution: either change the name of the parameter to 'recipient' or 'owner' or something like that or use msg.sender when emitting this event.
Handle
paulius.eth
Vulnerability details
Impact
event Mint(uint indexed index, address indexed minter, uint createdVia); I assume parameter named 'minter' should indicate the address that minted the token, not the recipient, however, when this event is emitted it uses _to which is not always the case, e.g. when _mint is invoked from devMint, the minter is the deployer.
Recommended Mitigation Steps
Solution: either change the name of the parameter to 'recipient' or 'owner' or something like that or use msg.sender when emitting this event.