search

code-423n4 / 2022-05-backd-findings

0 stars 0 forks source link

Governance Token limit can be massively increased due to uninitialised `lastEvent` variable #143

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-05-backd/blob/2a5664d35cde5b036074edef3c1369b984d10010/protocol/contracts/tokenomics/Minter.sol#L187-L189 https://github.com/code-423n4/2022-05-backd/blob/2a5664d35cde5b036074edef3c1369b984d10010/protocol/contracts/tokenomics/Minter.sol#L115-L116 https://github.com/code-423n4/2022-05-backd/blob/2a5664d35cde5b036074edef3c1369b984d10010/protocol/contracts/tokenomics/Minter.sol#L104-L108

Vulnerability details

Impact

Due to insufficient checks in the executeInflationRateUpdate() in the Minter contract, the limit on tokens that can be minted is massively increased. As lastEvent is uninitialised and equal to 0 by default, in the first line of _executeInflationRateUpdate(), the result for totalAvailableToNow is very large so the limit on governance tokens would become much larger than the predetermined limit.

Proof of Concept

  1. Minter.sol is deployed
  2. executeInflationRateUpdate() can be called by an attacker causing totalAvailableToNow to become very large
  3. The line require(newTotalMintedToNow <= totalAvailableToNow, "Mintable amount exceeded"); in _mint() will always pass

Recommended Mitigation Steps

Initialise lastEvent or add an requirement in executeInflationRateUpdate() to check that lastEvent is non zero ensuring that the startInflation() function has been called.

danhper commented 2 years ago

Duplicate of #46

GalloDaSballo commented 2 years ago

Dup of #46