DecentralizedStableCoin contract owner can mint unlimited DSC without depositing collateral
Summary
DecentralizedStableCoin contract owner can mint unlimited DSC without depositing collateral
Vulnerability Details
The deployer of the DecentralizedStableCoin contract can mint unlimited DSC by calling the mint function directly from the DecentralizedStableCoin contract.
The modifier "onlyOwner" gave the deployer this unlimited power to mint DSC without depositing a single collateral. It runs against the idea of the contract - which is to deposit a collateral and mint DSC.
Impact
Deployer of the DecentralizedStableCoin contract, who is automatically set as the owner, can mint DSC without providing a collateral.
Here's a PoC:
function testmint() public {
vm.startPrank(dsc.owner());
dsc.mint(dsc.owner(), 1000000);
console.log(dsc.owner().balance / 1e18);
vm.stopPrank();
}
Here's the result:
gitpod ~/2023-07-foundry-defi-stablecoin (main) $ forge test --match-contract DecentralizedStablecoinTest --match-test testmint -vvvv
[⠰] Compiling...
No files changed, compilation skipped
Running 1 test for test/unit/DecentralizedStablecoinTest.t.sol:DecentralizedStablecoinTest
[PASS] testmint() (gas: 63127)
Logs:
79228162514
Traces:
[63127] DecentralizedStablecoinTest::testmint()
├─ [2390] DecentralizedStableCoin::owner() [staticcall]
│ └─ ← DecentralizedStablecoinTest: [0x7FA9385bE102ac3EAc297483Dd6233D62b3e1496]
├─ [0] VM::startPrank(DecentralizedStablecoinTest: [0x7FA9385bE102ac3EAc297483Dd6233D62b3e1496])
│ └─ ← ()
├─ [390] DecentralizedStableCoin::owner() [staticcall]
│ └─ ← DecentralizedStablecoinTest: [0x7FA9385bE102ac3EAc297483Dd6233D62b3e1496]
├─ [46965] DecentralizedStableCoin::mint(DecentralizedStablecoinTest: [0x7FA9385bE102ac3EAc297483Dd6233D62b3e1496], 1000000 [1e6])
│ ├─ emit Transfer(from: 0x0000000000000000000000000000000000000000, to: DecentralizedStablecoinTest: [0x7FA9385bE102ac3EAc297483Dd6233D62b3e1496], value: 1000000 [1e6])
│ └─ ← true
├─ [390] DecentralizedStableCoin::owner() [staticcall]
│ └─ ← DecentralizedStablecoinTest: [0x7FA9385bE102ac3EAc297483Dd6233D62b3e1496]
├─ [0] console::f5b1bba9(00000000000000000000000000000000000000000000000000000012725dd1d2) [staticcall]
│ └─ ← ()
├─ [0] VM::stopPrank()
│ └─ ← ()
└─ ← ()
Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 2.49ms
Ran 1 test suites: 1 tests passed, 0 failed, 0 skipped (1 total tests)
Tools Used
Foundry
Recommendations
You could make the DecentralizedStableCoin contract an abstract contract or renounce ownership to address(0).
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.