search

code-423n4 / 2022-01-livepeer-findings

0 stars 0 forks source link

[WP-M0] `MINTER_ROLE` can be granted by the deployer of L2LivepeerToken and mint arbitrary amount of tokens #193

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

WatchPug

Vulnerability details

https://github.com/livepeer/arbitrum-lpt-bridge/blob/ebf68d11879c2798c5ec0735411b08d0bea4f287/contracts/L2/token/LivepeerToken.sol#L23-L30

function mint(address _to, uint256 _amount)
    external
    override
    onlyRole(MINTER_ROLE)
{
    _mint(_to, _amount);
    emit Mint(_to, _amount);
}

Using the mint() function of L2LivepeerToken, an address with MINTER_ROLE can burn an arbitrary amount of tokens.

If the private key of the deployer or an address with the MINTER_ROLE is compromised, the attacker will be able to mint an unlimited amount of LPT tokens.

We believe this is unnecessary and poses a serious centralization risk.

Recommendation

Consider removing the MINTER_ROLE, make the L2LivepeerToken only mintable by the owner, and make the L2Minter contract to be the owner and therefore the only minter.

yondonfu commented 2 years ago

Planning on keeping the role since the L2LPTGateway needs to be given minting rights as well in addition to the L2 Minter.