The contract lacks proper access control on critical functions, allowing unauthorized parties to execute them.
Recommendation: Use OpenZeppelin Ownable control for minting/burning, etc.
Before:
// No access control checks in critical functions
function _mint(address account, uint256 value) internal override {
if (account == address(0)) {
revert ERC20InvalidReceiver(address(0));
}
_update(address(0), account, value);
}
After:
// Add access control to critical functions
function _mint(address account, uint256 value) internal onlyOwner override {
require(account != address(0), "ERC20: mint to the zero address");
_update(address(0), account, value);
}
Lines of code
https://github.com/code-423n4/2023-12-revolutionprotocol/blob/main/packages/revolution/src/NontransferableERC20Votes.sol#L127
Vulnerability details
The contract lacks proper access control on critical functions, allowing unauthorized parties to execute them.
Recommendation: Use OpenZeppelin Ownable control for minting/burning, etc.
Before:
After:
Assessed type
Access Control