MorpheusAI
MorpheusAI
Foundry
22,500 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Missing access control in `WStETHMock::mint` function. Attacker can mint unlimited `WStETHMock` tokens to his account.

0x11singh99

Summary

The mint function in the WStETHMock contract lacks proper access control, allowing anyone to call it and mint new tokens. This poses a significant security risk as it can lead to unauthorized inflation or manipulation of the token supply.

Vulnerability Details

The mint function lacks proper access control mechanisms, allowing potential attackers to call the function freely. This oversight poses a serious risk, as an attacker can exploit this vulnerability to mint an arbitrary quantity of WStETHMock tokens to a specified address, potentially causing disruptions or unauthorized token generation.

We can see in below code snippet there is no access control on mint function.

File : contracts/mock/tokens/WStETHMock.sol
15: function mint(address account_, uint256 amount_) external { //@audit no access control
16: _mint(account_, amount_);
17: }

contracts/mock/tokens/WStETHMock.sol

Impact

Anyone can mint unlimited WStETHMock tokens to his account by calling WStETHMock::mint function.

Tools Used

Manual Review

Recommended Mitigation Steps

Add onlyOwner modifier in the WStETHMock::mint function. Since Ownable is inherited by WStETHMock contract so onlyOwner modifier is available to use so only owner of this contract can call WStETHMock::mint function.

-15: function mint(address account_, uint256 amount_) external {
+15: function mint(address account_, uint256 amount_) external onlyOwner {
16: _mint(account_, amount_);
17: }
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Lack of access control in `StETHMock:mint` and `WStETHMock::mint`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.