The DecentralizedStableCoin contract inherits ERC20 and Ownable from OZ and enforces that only the owner can mint/burn the token using the onlyOwner
modifier on the two functions. The Ownable contract sets the owner during deployment to be equal to msg.sender i.e. the wallet used for the deployment will be set as owner.
.The DSCEngine.sol invokes the mint
and burn
functions on the DecentralizedStableCoin which address is passed during the construction phase of the DSCEngine contract, however the DSCEngine.sol is not the owner, thus the transactions would fail until ownership is transferred to the DSCEngine. We can assume that this will be done immediately after the deployment of both contracts, so the issue expressed here is more of a design suggestion. Keep in mind that in case ownership is not transferred immediately or an exposed wallet is used for the deployment i.e. with an already leaked PK, an attacker could front-run the transfer of ownership and mint DSC tokens for himself, even tho it is a highly unlikely scenario.
Potential failing transactions or free mint for an attacker if PK is exposed. Both would work only until ownership is transferred to the DSCEngine.sol.
Manual Review
In order to avoid the above mentioned temporary centralization issue the best thing that can be done is to deploy the DecentralizedStableCoin within the constructor of the DSCEngine.sol. This will ensure that the msg.sender is the DSCEngine.sol and no additional setup would be necessary.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.