Total supply of the token may exceed the maxCap introduced. This can happen when a user wants to join the pool. The check in BasketFacet::joinPool(...) includes only the base amount, without fee. Thus, if fee is on and someone will want to create as many tokens as possible, the totalSupply + _amount will be set to maxCap. The call will succeed, but new tokens were also minted as the fee for bs.feeBeneficiary if bs.entryFee and bs.entryFeeBeneficiaryShare are nonzero. Thus, the number of tokens may exceed maxCap.
Tools Used
Manual analysis
Recommended Mitigation Steps
Consider calculating feeAmount and feeBeneficiaryShare before the require(...) statement and check totalSupply.add(_amount).add(feeBanficiaryShare) <= this.getCap().
Handle
Czar102
Vulnerability details
Impact
Total supply of the token may exceed the
maxCap
introduced. This can happen when a user wants to join the pool. The check inBasketFacet::joinPool(...)
includes only the base amount, without fee. Thus, if fee is on and someone will want to create as many tokens as possible, thetotalSupply + _amount
will be set tomaxCap
. The call will succeed, but new tokens were also minted as the fee forbs.feeBeneficiary
ifbs.entryFee
andbs.entryFeeBeneficiaryShare
are nonzero. Thus, the number of tokens may exceedmaxCap
.Tools Used
Manual analysis
Recommended Mitigation Steps
Consider calculating
feeAmount
andfeeBeneficiaryShare
before therequire(...)
statement and checktotalSupply.add(_amount).add(feeBanficiaryShare) <= this.getCap()
.