Centralization issue on DSC token
Summary
The DecentralizedStableCoin contract inherits ERC20 and Ownable from OZ and enforces that only the owner can mint/burn the token using the onlyOwner modifier on the two functions. The Ownable contract sets the owner during deployment to be equal to msg.sender i.e. the wallet used for the deployment will be set as owner.
Vulnerability Details
.The DSCEngine.sol invokes the mint and burn functions on the DecentralizedStableCoin which address is passed during the construction phase of the DSCEngine contract, however the DSCEngine.sol is not the owner, thus the transactions would fail until ownership is transferred to the DSCEngine. We can assume that this will be done immediately after the deployment of both contracts, so the issue expressed here is more of a design suggestion. Keep in mind that in case ownership is not transferred immediately or an exposed wallet is used for the deployment i.e. with an already leaked PK, an attacker could front-run the transfer of ownership and mint DSC tokens for himself, even tho it is a highly unlikely scenario.
Impact
Potential failing transactions or free mint for an attacker if PK is exposed. Both would work only until ownership is transferred to the DSCEngine.sol.
Tools Used
Manual Review
Recommendations
In order to avoid the above mentioned temporary centralization issue the best thing that can be done is to deploy the DecentralizedStableCoin within the constructor of the DSCEngine.sol. This will ensure that the msg.sender is the DSCEngine.sol and no additional setup would be necessary.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.