Foundry DeFi Stablecoin CodeHawks Audit Contest

Cyfrin

DeFiFoundry

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

Unrestricted Mint Capability Before Initialization

gaslimit

Summary

The vulnerability in the DecentralizedStableCoin contract allows the deployer to possess unrestricted minting capabilities. Initially, the DSCEngine contract lacks the role to mint tokens until ownership is transferred by the DecentralizedStableCoin deployer. However, prior to this transfer of ownership, the deployer has the ability to mint an infinite amount of DecentralizedStableCoin Tokens, potentially leading to an inflationary risk and affecting the stability of the system.

Vulnerability Details

The DSCEngine contract is reliant on being granted ownership of the DecentralizedStableCoin contract to mint tokens, which is achieved by invoking the transferOwnership() function from the inherited Ownable.sol contract provided by OpenZeppelin. However, until ownership is transferred to DSCEngine, there exists a potential security flaw wherein the deployer can invoke the mint() function without any collateralization, leading to the creation of tokens without proper backing.

function transferOwnership(address newOwner) public virtual onlyOwner {

if (newOwner == address(0)) {

revert OwnableInvalidOwner(address(0));

}

_transferOwnership(newOwner);

}

function mint(address _to, uint256 _amount) external onlyOwner returns (bool) {

if (_to == address(0)) {

revert DecentralizedStableCoin__NotZeroAddress();

}

if (_amount <= 0) {

revert DecentralizedStableCoin__MustBeMoreThanZero();

}

_mint(_to, _amount);

return true;

}

Impact

❌Inflated Supply

While the DSCEngine contract may eventually receive the minting role through ownership transfer, the fact that the deployer can mint an infinite amount of tokens before that transfer poses a significant risk to the stability and security of the system.

Unrestricted minting capabilities can lead to various issues, including inflation, devaluation of the token, and potential economic exploits. It is essential to address this vulnerability to ensure the integrity and proper functioning of the decentralized stablecoin system.

Tools Used

VSCode, Foundry

Recommendations

To address the vulnerability of unrestricted minting capabilities in the DecentralizedStableCoinca contract, it is recommended to implement the following fix:

Integrate the DecentralizedStableCoin ERC20 token deployment within the DSCEngine contract, setting the DSCEngine as the token owner upon deployment, and implementing access control for minting to prevent unauthorized token minting and ensure secure control over the decentralized stablecoin system.
Transfer Ownership: Once the DecentralizedStableCoin contract is ready and thoroughly audited, transfer ownership of the DSC Token contract to the DSCEngine contract or the designated address with minting access. This step should be done carefully and securely.
Minting Access Control: Modify the DecentralizedStableCoin contract to include an access control mechanism for minting. This can be achieved using role-based access control (RBAC) or a permission system. Create a new role, such as "Minter," and assign the minting capability only to the DSCEngine contract or a designated address that will handle minting.

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

236

64 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.