search

code-423n4 / 2022-03-volt-findings

0 stars 0 forks source link

MINTER_ROLE can be granted by the deployer of Core and mint arbitrary amount of Volt. #50

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-03-volt/blob/main/contracts/volt/Volt.sol#L41-L49

Vulnerability details

Impact

    function mint(address account, uint256 amount)
        external
        override
        onlyMinter
        whenNotPaused
    {
        _mint(account, amount);
        emit Minting(account, msg.sender, amount);
    }

Using the mint() function of Volt, an address with MINTER_ROLE can mint an arbitrary amount of Volt.

If the private key of the deployer or an address with the MINTER_ROLE is compromised, the attacker will be able to mint an unlimited amount of Volt.

We believe this is unnecessary and poses a serious centralization risk.

Proof of Concept

https://github.com/code-423n4/2022-03-volt/blob/main/contracts/volt/Volt.sol#L41-L49

Tools Used

None

Recommended Mitigation Steps

Consider removing the MINTER_ROLE, make the Volt only mintable by the owner, and make the CoreRef contract to be the owner and therefore the only minter.

ElliotFriedman commented 2 years ago

This is not a valid issue as the system is designed to be able to mint VOLT with privileged roles.

jack-the-pug commented 2 years ago

Dup #55