There is a possibility of unintentionally reducing the maxSupply of Vader, via the adjustMaxSupply function
Proof of Concept
Ref : line 212 in contracts/tokens/Vader.sol
Requirements:
the caller must be the DAO
the new maximum supply must be greater than the current one
*/
function adjustMaxSupply(uint256 _maxSupply) external onlyDAO {
require(
_maxSupply >= totalSupply(),
"Vader::adjustMaxSupply: Max supply cannot subcede current supply"
);
emit MaxSupplyChanged(maxSupply, _maxSupply);
maxSupply = _maxSupply;
}
As per the comments in the Requirements, we should be only increasing the value than the current value of maxSupply,
but in the implementation, its possible to set a new maxSupply to a value below the current maxSupply, since we are comparing with totalSupply()
Tools Used
Manual review
Recommended Mitigation Steps
If the Requirement statement is correct then,
In function adjustMaxSupply, compare the value with maxSupply
function adjustMaxSupply(uint256 _maxSupply) external onlyDAO {
require(
_maxSupply >= maxSupply,
"Vader::adjustMaxSupply: Max supply cannot subcede current supply"
);
alcueca
commented
2 years ago
Handle
ksk2345
Vulnerability details
Impact
There is a possibility of unintentionally reducing the maxSupply of Vader, via the adjustMaxSupply function
Proof of Concept
Ref : line 212 in contracts/tokens/Vader.sol
As per the comments in the Requirements, we should be only increasing the value than the current value of maxSupply, but in the implementation, its possible to set a new maxSupply to a value below the current maxSupply, since we are comparing with totalSupply()
Tools Used
Manual review
Recommended Mitigation Steps
If the Requirement statement is correct then, In function adjustMaxSupply, compare the value with maxSupply