Missing access control in `WStETHMock::mint` function. Attacker can mint unlimited `WStETHMock` tokens to his account.
Summary
The mint function in the WStETHMock contract lacks proper access control, allowing anyone to call it and mint new tokens. This poses a significant security risk as it can lead to unauthorized inflation or manipulation of the token supply.
Vulnerability Details
The mint function lacks proper access control mechanisms, allowing potential attackers to call the function freely. This oversight poses a serious risk, as an attacker can exploit this vulnerability to mint an arbitrary quantity of WStETHMock tokens to a specified address, potentially causing disruptions or unauthorized token generation.
We can see in below code snippet there is no access control on mint function.
contracts/mock/tokens/WStETHMock.sol
Impact
Anyone can mint unlimited WStETHMock tokens to his account by calling WStETHMock::mint function.
Tools Used
Manual Review
Recommended Mitigation Steps
Add onlyOwner modifier in the WStETHMock::mint function. Since Ownable is inherited by WStETHMock contract so onlyOwner modifier is available to use so only owner of this contract can call WStETHMock::mint function.
Lead Judging Commences
Lack of access control in `StETHMock:mint` and `WStETHMock::mint`
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.