Missing access control in `CurvesERC20Factory::deploy()` will allow anyone to deploy `CurvesERC20` contract and mint unscrupulous tokens.

[c4-bot-5]

Lines of code

https://github.com/code-423n4/2024-01-curves/blob/516aedb7b9a8d341d0d2666c23780d2bd8a9a600/contracts/CurvesERC20Factory.sol#L7-L10

Vulnerability details

Impact

• CurvesERC20Factory::deploy() deploys CurvesERC20 and has no access control. It will allow anyone to just deploy CurvesERC20 contracts and mint tokens uncontrollably.

• These maliciously deployed CurvesERC20 contracts can just mint tokens as they wish and "potentially" sell it to the unsuspecting buyers. The market will be flooded with unscrupulous tokens and will destroy the integrity of the system.

Proof of Concept

REFERENCES

• Here's the code link and the snippet is shown below.

  contract CurvesERC20Factory {
      function deploy(string memory name, string memory symbol, address owner) public returns (address) {
          CurvesERC20 tokenContract = new CurvesERC20(name, symbol, owner);
          return address(tokenContract);
      }
  }

  Tools Used

  Manual Review

Recommended Mitigation Steps

Use a reputable access controller contracts like Openzeppelin's Ownable.

Assessed type

Access Control

[c4-pre-sort]

raymondfam marked the issue as insufficient quality report

[c4-pre-sort]

raymondfam marked the issue as duplicate of #1036

[c4-pre-sort]

raymondfam marked the issue as not a duplicate

[c4-pre-sort]

raymondfam marked the issue as duplicate of #340

[c4-judge]

alcueca changed the severity to QA (Quality Assurance)

[c4-judge]

alcueca marked the issue as grade-a