Token can be minted to Contract's Address
The function checks to ensure that the _to
address is not the zero address. However, the function does not check to ensure that the _to
address is not the contract's own address.
This vulnerability could allow a malicious actor to exploit the contract by minting unauthorized tokens, resulting in token theft. Any user who discovers this flaw could potentially mint tokens for themselves, beyond the intended issuance, effectively stealing from other legitimate token holders. To mitigate this risk, the contract code should be audited to identify and fix any issues that could enable unauthorized minting of tokens. Proper authorization and access controls should be implemented to restrict minting tokens only to authorized accounts. Additionally, the total token supply should be hard-capped to prevent unlimited token creation. By fixing this vulnerability and implementing these security measures, the contract can be made more robust and resistant to exploits that could lead to token theft.
Manual code review
To fix this bug, the mint()
function should be updated to check that the _to
address is not the contract's own address. The following code shows how the function could be updated:
The new code adds a check to ensure that the _to
address is not the contract's own address. If the _to
address is the contract's own address, the revert()
function is called and the mint operation is not performed.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.