`LiquidInfrastructureERC20::mint()` - Combined with the fact that owner can make himself a holder, the fact that owner can mint as many LI ERC20 tokens as he wants to himself, enables a vulnerability where he can game the system and during distributions get the biggest share of the rewards, effectively taking rewards that belong to other holders, due to his unfair advantage in terms of total tokens held.

[c4-bot-10]

Lines of code

https://github.com/code-423n4/2024-02-althea-liquid-infrastructure/blob/3adc34600561077ad4834ee9621060afd9026f06/liquid-infrastructure/contracts/LiquidInfrastructureERC20.sol#L279

Vulnerability details

LOW severity if trusted role, otherwise at least medium severity.

A rogue/untrusted owner can mint themselves LI ERC20 tokens to an address of their choice(or to address(this)) and make himself a holder, thereby enabling his participation in rewards distribution, but since he has full control over how many tokens he can mint, he can game the system this way to unfairly receive the majority of the rewards during distributions.

There are no checks to prevent this.

    function mint(address account, uint256 amount) public onlyOwner nonReentrant {
        _mint(account, amount);
    }

Recommendation:

• At the very least owner should not be allowed to make his own msg.sender address or address(this) a holder, to help maintain trust in the protocol.

Assessed type

Other

[c4-pre-sort]

0xRobocop marked the issue as insufficient quality report

[c4-judge]

0xA5DF marked the issue as unsatisfactory: Out of scope

[0xA5DF]

Centralization risk, belongs in analysis report