Unrestricted Minting Function in `WStETHMock` Smart Contract
Summary
A smart contract contains a public mint function without any access control mechanisms. This allows any user to mint an arbitrary number of tokens to any address, potentially leading to token inflation, devaluation, and unauthorized distribution of tokens.
Vulnerability Details
The WStETHMock smart contract implements a mint function that is intended to create new tokens and assign them to a specified address. The function prototype is as follows:
This function lacks any form of access control, such as modifiers or checks, to restrict who can call the function. As a result, any external account can execute this function and mint tokens to any address, without limitation.
Impact
The primary impact of this vulnerability includes, but is not limited to:
Inflation of Token Supply: Unrestricted minting can lead to a rapid increase in the total supply of tokens, diluting the value of existing tokens.
Unauthorized Token Distribution: Malicious actors or unauthorized users could distribute tokens to themselves or others, undermining the token distribution plan and potentially facilitating other attacks or fraud.
Tools Used
Manual Code Review
Recommendations
To mitigate this vulnerability, it is recommended to implement access control mechanisms. This can be achieved by:
Using OpenZeppelin's
OwnableContract: Restrict themintfunction to be callable only by the contract owner or a specific set of addresses authorized to mint new tokens.
Lead Judging Commences
Lack of access control in `StETHMock:mint` and `WStETHMock::mint`
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.