Open c4-bot-5 opened 9 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #1036
raymondfam marked the issue as not a duplicate
raymondfam marked the issue as duplicate of #340
alcueca changed the severity to QA (Quality Assurance)
alcueca marked the issue as grade-a
Lines of code
https://github.com/code-423n4/2024-01-curves/blob/516aedb7b9a8d341d0d2666c23780d2bd8a9a600/contracts/CurvesERC20Factory.sol#L7-L10
Vulnerability details
Impact
CurvesERC20Factory::deploy()
deploysCurvesERC20
and has no access control. It will allow anyone to just deployCurvesERC20
contracts and mint tokens uncontrollably.These maliciously deployed
CurvesERC20
contracts can just mint tokens as they wish and "potentially" sell it to the unsuspecting buyers. The market will be flooded with unscrupulous tokens and will destroy the integrity of the system.Proof of Concept
REFERENCES
Tools Used
Manual Review
Recommended Mitigation Steps
Use a reputable access controller contracts like Openzeppelin's Ownable.
Assessed type
Access Control