Closed code423n4 closed 2 years ago
There is no response this time because it is an operational problem. I don't think it's MedRisk because it's just a matter of proper operation. I think it's Low Risk.
Dup #42
Grouping this with warden's QA report, #47
Lines of code
https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v2/FiatTokenV2.sol#L337 https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v2/FiatTokenV2.sol#L344
Vulnerability details
Impact
During the code review, It has been observed the token does not have any maximum total supply definition on the code. With privileged user, the contract masterMinter can define any amount on the minting. The contract will have one masterMinter address. Any compromise to the masterMinter account(s) may allow the hacker to manipulate the project through these functions. (unlimited minting)
Proof of Concept
Tools Used
Code Review
Recommended Mitigation Steps
We advise the client to carefully manage the onlyMasterMinter account private key to avoid any potential risks of being hacked. In general, we strongly recommend centralized privileges or roles in the protocol to be improved via a decentralized mechanism or smart-contract-based accounts with enhanced security practices, e.g., Multisignature wallets.