kingyetifinance
commented
2 years ago @LilYeti: sYETI Token mint checks that YETI has been transferred according to the internal ratio, it is meant to be used by other users.
Open code423n4 opened 2 years ago
kingyetifinance
commented
2 years ago @LilYeti: sYETI Token mint checks that YETI has been transferred according to the internal ratio, it is meant to be used by other users.
alcueca
commented
2 years ago Sorry, @kingyetifinance, could you please show how "sYETI Token mint checks that YETI has been transferred according to the internal ratio"?
0xtruco
commented
2 years ago @alcueca The line "yetiToken.sendToSYETI(msg.sender, amount);" which can be seen here in the contest version https://github.com/code-423n4/2021-12-yetifinance/blob/5f5bf61209b722ba568623d8446111b1ea5cb61c/packages/contracts/contracts/YETI/sYETIToken.sol#L184 Requires that the YETI has been transferred through this sendToSYETI call.
alcueca
commented
2 years ago Ah, ok, I see. mint instructs the yetiToken contract to transfer yetiToken from the msg.sender of the mint call to the sYetiToken contract. It also increases the sYetiToken balance of msg.sender by shares.
It's a very confusing way of coding this. You should at least use the _mint internal function from BoringCrypto/ERC20.sol. I'm sure that there are cleaner ways of avoiding an approval.
Downgraded to non critical as a code quality issue.
Handle
0x1f8b
Vulnerability details
Impact
Anyone can mint tokens.
Proof of Concept
The method
mintinsYETITokencontract doesn't check if the caller is the owner, insted of this, the method checks if the sender it's different thanaddress(0), something impossible, it seems that it's a copy paste from_burnmethod, this could produce that anyone can call it and mint tokens using this bug.Tools Used
Manual review.
Recommended Mitigation Steps
Check the owner in sYETIToken.mint