15,000 USDC
View results
Submission Details
Severity: low

Centralization issue on DSC token

Summary

The DecentralizedStableCoin contract inherits ERC20 and Ownable from OZ and enforces that only the owner can mint/burn the token using the onlyOwner modifier on the two functions. The Ownable contract sets the owner during deployment to be equal to msg.sender i.e. the wallet used for the deployment will be set as owner.

Vulnerability Details

.The DSCEngine.sol invokes the mint and burn functions on the DecentralizedStableCoin which address is passed during the construction phase of the DSCEngine contract, however the DSCEngine.sol is not the owner, thus the transactions would fail until ownership is transferred to the DSCEngine. We can assume that this will be done immediately after the deployment of both contracts, so the issue expressed here is more of a design suggestion. Keep in mind that in case ownership is not transferred immediately or an exposed wallet is used for the deployment i.e. with an already leaked PK, an attacker could front-run the transfer of ownership and mint DSC tokens for himself, even tho it is a highly unlikely scenario.

Impact

Potential failing transactions or free mint for an attacker if PK is exposed. Both would work only until ownership is transferred to the DSCEngine.sol.

Tools Used

Manual Review

Recommendations

In order to avoid the above mentioned temporary centralization issue the best thing that can be done is to deploy the DecentralizedStableCoin within the constructor of the DSCEngine.sol. This will ensure that the msg.sender is the DSCEngine.sol and no additional setup would be necessary.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.