search

code-423n4 / 2022-03-volt-findings

0 stars 0 forks source link

MINTER_ROLE can be granted by the deployer of Volt and mint arbitrary amount of tokens #55

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-03-volt/blob/f1210bf3151095e4d371c9e9d7682d9031860bbd/contracts/volt/Volt.sol#L41

Vulnerability details

Impact

Using the mint() function of Volt contract, an address with MINTER_ROLE can mint an arbitrary amount of tokens.

If the private key of the deployer or an address with the MINTER_ROLE is compromised, the attacker will be able to mint an unlimited amount of FEI tokens tokens.

We believe this is unnecessary and poses a serious centralization risk.

Proof of Concept

https://github.com/code-423n4/2022-03-volt/blob/f1210bf3151095e4d371c9e9d7682d9031860bbd/contracts/volt/Volt.sol#L41

function mint(address account, uint256 amount)
        external
        override
        onlyMinter
        whenNotPaused
    {
        _mint(account, amount);
        emit Minting(account, msg.sender, amount);
    }

Tools Used

Recommended Mitigation Steps

Consider removing the MINTER_ROLE, make the tokens only mintable by the owner.

jack-the-pug commented 2 years ago

This issue should explain a little bit better on why the minter role is not necessary. I'll downgrade this to QA due to lack of details.