search

code-423n4 / 2022-12-tigris-findings

8 stars 4 forks source link

[NAZ-M9] `isMinter` Can Be Granted By The Deployer Of `StableToken` And Mint/Burn Arbitrary Amount Of Tokens #600

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/StableToken.sol#L9 https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/StableToken.sol#L38

Vulnerability details

Impact

If the private key of the deployer or an address in the isMinter mapping is compromised, the attacker will be able to mint/burn an unlimited amount of tigUSD tokens.

Tools Used

Manual Review

Recommended Mitigation Steps

Consider removing the isMinter mapping making tigUSD only mintable by the owner, and make the stableToken.sol contract to be the owner and therefore the only minter.

GalloDaSballo commented 1 year ago

Basically the same as vault rug, but missing further detail

c4-judge commented 1 year ago

GalloDaSballo marked the issue as duplicate of #383

c4-judge commented 1 year ago

GalloDaSballo marked the issue as partial-50

c4-judge commented 1 year ago

GalloDaSballo marked the issue as duplicate of #377

c4-judge commented 1 year ago

GalloDaSballo marked the issue as satisfactory

c4-judge commented 1 year ago

GalloDaSballo marked the issue as partial-50