15,000 USDC
View results
Submission Details
Severity: low

Mint to Contract's Address

Summary

Token can be minted to Contract's Address

Vulnerability Details

The function checks to ensure that the _to address is not the zero address. However, the function does not check to ensure that the _to address is not the contract's own address.

function mint(address _to, uint256 _amount) external onlyOwner returns (bool) {
if (_to == address(0)) {
revert DecentralizedStableCoin__NotZeroAddress();
}
if (_amount <= 0) {
revert DecentralizedStableCoin__MustBeMoreThanZero();
}
_mint(_to, _amount);
return true;
}

Impact

This vulnerability could allow a malicious actor to exploit the contract by minting unauthorized tokens, resulting in token theft. Any user who discovers this flaw could potentially mint tokens for themselves, beyond the intended issuance, effectively stealing from other legitimate token holders. To mitigate this risk, the contract code should be audited to identify and fix any issues that could enable unauthorized minting of tokens. Proper authorization and access controls should be implemented to restrict minting tokens only to authorized accounts. Additionally, the total token supply should be hard-capped to prevent unlimited token creation. By fixing this vulnerability and implementing these security measures, the contract can be made more robust and resistant to exploits that could lead to token theft.

Tools Used

Manual code review

Recommendations

To fix this bug, the mint() function should be updated to check that the _to address is not the contract's own address. The following code shows how the function could be updated:

function mint(address _to, uint256 _amount) external onlyOwner returns (bool) {
if (_to == address(0)) {
revert DecentralizedStableCoin__NotZeroAddress();
}
if (_to == address(this)) {
revert DecentralizedStableCoin__CannotMintToSelf();
}
if (_amount <= 0) {
revert DecentralizedStableCoin__MustBeMoreThanZero();
}
_mint(_to, _amount);
return true;
}

The new code adds a check to ensure that the _to address is not the contract's own address. If the _to address is the contract's own address, the revert() function is called and the mint operation is not performed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.