jkilpatr
commented
3 years ago This is a fundamental misunderstanding of how the deployERC20 function works, it deploys an ERC20 contract that's built into the Gravity bridge contract at deployment time. From there the contract is adopted or not adopted by the validators consensus, not a bug.
duplicate of #13
loudoguno
Handle
hrkrshnn
Vulnerability details
Anyone can deploy ERC20 tokens
The deployERC20 is currently a public function that allows anyone to deploy an ERC20 token with given name, symbol and decimals. Although there is no harm in anyone deploying a contract, as a good practice, only deploying contracts that actually exist, and are compatible with the OpenZeppelin's ERC20 token in cosmos makes sense.
Consider making this operation to require signatures of the validators, where validators will need to manually check that a cosmos token is compatible with OpenZeppelin's ERC20 token. For example, the cosmos version of the token may have a fee on transfer or deflationary mechanisms whereas the Ethereum version of doesn't have it; such a token should not be deployed on the bridge.