15,000 USDC
View results
Submission Details
Severity: medium

[M-03] Revert in the `mintDsc` function when called by normal users

Summary

The DecentralizedStableCoin.sol contract includes a mint function that can only be called by the contract owner due to the onlyOwner modifier. However, the mintDsc function in the DSCEngine.sol contract attempts to call the mint function, potentially leading to a revert when invoked by a normal user who is not the contract owner.

Vulnerability Details

In the constructor of the DSCEngine.sol contract, the i_dsc variable is assigned the instance of the DecentralizedStableCoin contract located at the address dscAddress. The DecentralizedStableCoin contract requires deployment before the DSCEngine.sol contract, and its onlyOwner modifier restricts access to the contract owner's address.

The issue arises when a normal user calls the mintDsc function in the DSCEngine.sol contract. The function attempts to execute the following line:

bool minted = i_dsc.mint(msg.sender, amountDscToMint);

However, since the user is not the owner of the DecentralizedStableCoin contract, the i_dsc.mint function, which can only be called by the owner, will cause a revert.

Impact

The mintDsc function in the DSCEngine.sol contract will not work as intended when called by normal users due to the onlyOwner modifier on the mint function in the DecentralizedStableCoin.sol contract. As a result, the transaction will be reverted, and users will be unable to mint the decentralized stablecoin as expected.

Proof of Concept

Vulnerable code:

function mint(address _to, uint256 _amount) external onlyOwner returns (bool) {
bool minted = i_dsc.mint(msg.sender, amountDscToMint);

Tools Used

  • VS Code

  • Manual review

Recommendations

Example fix would be to create another modifier that allows the owner or users to call the mint function

Example:

modifier onlyAuthorizedMinter {
require(msg.sender == owner() || isAuthorizedMinter[msg.sender], "DecentralizedStableCoin__UnauthorizedMinter");
_;
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.