No access control on critical functions

[c4-bot-6]

Lines of code

https://github.com/code-423n4/2023-12-revolutionprotocol/blob/main/packages/revolution/src/NontransferableERC20Votes.sol#L127

Vulnerability details

The contract lacks proper access control on critical functions, allowing unauthorized parties to execute them.

Recommendation: Use OpenZeppelin Ownable control for minting/burning, etc.

Before:

// No access control checks in critical functions
function _mint(address account, uint256 value) internal override {
    if (account == address(0)) {
        revert ERC20InvalidReceiver(address(0));
    }
    _update(address(0), account, value);
}

After:

// Add access control to critical functions
function _mint(address account, uint256 value) internal onlyOwner override {
    require(account != address(0), "ERC20: mint to the zero address");
    _update(address(0), account, value);
}

Assessed type

Access Control

[c4-pre-sort]

raymondfam marked the issue as insufficient quality report

[c4-pre-sort]

raymondfam marked the issue as duplicate of #686

[c4-judge]

MarioPoneder marked the issue as unsatisfactory: Overinflated severity