users could who are using custom treasury could mint unlimited amount of group tokens

[hats-bug-reporter[bot]]

Github username: @0xmahdirostami Twitter username: 0xmahdirostami Submission hash (on-chain): 0x9e801d61d9f96e01afc25f9e387915ae16a066e5586556b8994786a33174ec4b Severity: low

Description: Description

currently, hub contracts allow custom treasury, so malicious users could use this feature and create a custom treasury, one of these custom ones could allow the group owner to call mintGroup from treasury and mint more tokens without providing new collateral.

Scenario:

• The user creates a custom treasury and adds a custom call to it.
• whenever he wants he can call mintGroup from that and mint new group tokens

Impact: as there is a trusted network so if no one trusts you make your tokens unworthy, but users could mint tokens after a time that gave some valid collateral and by doing this they could withdraw users' tokens. and although they gain a lot of tokens that could do malicious acts like the one that I'm submitting in the next issue.

[benjaminbollen]

Thank you for your report on the potential for unlimited minting of group tokens with custom treasuries. After review, we've determined this is not an issue.

As addressed in Issue #12, this is an explicit design choice to allow any group and treasury contracts without governance from Circles protocol. As a result, wallets and other tools need to help users vet whether a group contract is deemed safe to interact with - as for any other contracts on chain.

We appreciate your attention to the implications of our open system design. Your report highlights the importance of user-facing tools in supporting safe interactions within our ecosystem. Thank you for your contribution to this security review.