In VariableSupplyERC20Token.sol maxSupply_ is used to set a limit to the amount mintable, and a value of 0 is used to represent an infinite limit. 0 is indeed a nonsensical value for this variable, and as such would be suitable to represent infinity, but mintableSupply takes its value from maxSupply_, and here we have a clash as a mintableSupply of 0 simply means that nothing more should be minted.
Proof of Concept
Suppose a VariableSupplyERC20Token was created with a positive maxSupply_, which means that the supply should be limited. If mint is called with an amount equal to mintableSupply, then mintableSupply will be set to 0 at line 43. Now, mint will behave as if the supply is unlimited (contrary to our expectations and with unlimited possiblity of inflation).
Tools Used
Code inspection
Recommended Mitigation Steps
Use another representation for infinite supply, for example type(uint256).max.
0xean
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-09-vtvl/blob/f68b7f3e61dad0d873b5b5a1e8126b839afeab5f/contracts/token/VariableSupplyERC20Token.sol#L36-L46
Vulnerability details
Impact
In VariableSupplyERC20Token.sol
maxSupply_is used to set a limit to the amount mintable, and a value of 0 is used to represent an infinite limit. 0 is indeed a nonsensical value for this variable, and as such would be suitable to represent infinity, butmintableSupplytakes its value frommaxSupply_, and here we have a clash as amintableSupplyof 0 simply means that nothing more should be minted.Proof of Concept
Suppose a VariableSupplyERC20Token was created with a positive
maxSupply_, which means that the supply should be limited. Ifmintis called with anamountequal tomintableSupply, thenmintableSupplywill be set to 0 at line 43. Now,mintwill behave as if the supply is unlimited (contrary to our expectations and with unlimited possiblity of inflation).Tools Used
Code inspection
Recommended Mitigation Steps
Use another representation for infinite supply, for example
type(uint256).max.