In contract MPHMinter, the function distributeFundingRewards does not check whether the contract itself is the owner of mph. If the contract is not the owner of mph, mph.ownerMint could revert, causing functions such as withdraw, rolloverDeposit, payInterestToFunders in the contract DInterest to revert as well.
ZeframLou
commented
3 years ago
Handle
shw
Vulnerability details
Impact
In contract
MPHMinter, the functiondistributeFundingRewardsdoes not check whether the contract itself is the owner ofmph. If the contract is not the owner ofmph,mph.ownerMintcould revert, causing functions such aswithdraw,rolloverDeposit,payInterestToFundersin the contractDInterestto revert as well.Proof of Concept
Referenced code: MPHMinter.sol#L121 DInterest.sol#L1253 DInterest.sol#L1420
Tools Used
None
Recommended Mitigation Steps
Add a
mph.owner() != address(this)check as in the other functions (e.g.,mintVested).