GalloDaSballo
commented
2 years ago Per #208 we need to mint the token to fulfil the sale, not renouncing after the sale can be considered Admin Privilege, however you have no way of proving that at this time
Lines of code
https://github.com/code-423n4/2022-04-badger-citadel/blob/main/src/CitadelToken.sol#L42 https://github.com/code-423n4/2022-04-badger-citadel/blob/main/src/GlobalAccessControl.sol#L80
Vulnerability details
the mint function in CitadelToken requires the role
CITADEL_MINTER_ROLE. this role is managed by the governance:therefore the admin can mint to himself an unlimited amount.