Open code423n4 opened 2 years ago
About this issue, firstly, we rarely use the function configureMinter
. Secondly, we can removeMinter
first and then call the configureMinter
.
Other than that, all the minters are centralised party and they should be under control and regulation. At the moment, the minter is only ourself, so there is no worry about that.
Low
Race condition in configureMinter
Impact
The configureMinter function can be used to set the minterAllowedAmount of the minter. Consider the following scenarios:
The minterAllowedAmount of minter A is actually 1500 instead of 1000.
Proof of Concept
https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v2/FiatTokenV2.sol#L337-L347 https://github.com/code-423n4/2022-02-jpyc/blob/main/contracts/v1/FiatTokenV1.sol#L327-L337
Tools Used
None
Recommended Mitigation Steps
Add increaseMinterAllowedAmount and decreaseMinterAllowedAmount methods