If the private key of the deployer or an address with the MINTER is compromised, the attacker will be able to mint an unlimited amount of tokens. I believe this is unnecessary and poses a serious centralization risk.
Tools Used
Manual Review
Recommended Mitigation Steps
Consider removing the MINTER, make the tokens only mintable by the owner, and make the L2Minter contract to be the owner and therefore the only minter.
0xean
commented
1 year ago
Lines of code
https://github.com/code-423n4/2022-10-thegraph/blob/main/contracts/l2/token/GraphTokenUpgradeable.sol#L158
Vulnerability details
Impact
If the private key of the deployer or an address with the
MINTERis compromised, the attacker will be able to mint an unlimited amount of tokens. I believe this is unnecessary and poses a serious centralization risk.Tools Used
Manual Review
Recommended Mitigation Steps
Consider removing the
MINTER, make the tokens only mintable by the owner, and make the L2Minter contract to be the owner and therefore the only minter.