Submission Details
Severity:
No owner is set in `MOR` contract, there is no way to transfer ownership to other contract
Summary
In the MOR contract, owner is not set, so there is no way to transfer ownership, no one can call mint() function to mint token
Vulnerability Details
In the MOR contract, ownable contract is not set:
contract MOR is IMOR, ERC20Capped, ERC20Burnable, Ownable {
constructor(uint256 cap_) ERC20("MOR", "MOR") ERC20Capped(cap_) {}
So no one can call transferOwnership function, the mint() function cant be called
function mint(address account_, uint256 amount_) external onlyOwner { // <---
_mint(account_, amount_);
}
Function _nonblockingLzReceive() try to call mint() function:
function _nonblockingLzReceive(
uint16 senderChainId_,
bytes memory senderAndReceiverAddresses_,
bytes memory payload_
) private {
require(senderChainId_ == config.senderChainId, "L2MR: invalid sender chain ID");//@auditz lí do có thể fail này
address sender_;
assembly {
sender_ := mload(add(senderAndReceiverAddresses_, 20))
}
require(sender_ == config.sender, "L2MR: invalid sender address");
(address user_, uint256 amount_) = abi.decode(payload_, (address, uint256));
IMOR(rewardToken).mint(user_, amount_); //<---
}
Impact
There is no way that token can be minted
Tools Used
Manual review
Recommendations
Code should be updated to:
contract MOR is IMOR, ERC20Capped, ERC20Burnable, Ownable {
- constructor(uint256 cap_) ERC20("MOR", "MOR") ERC20Capped(cap_) {}
+ constructor(uint256 cap_) ERC20("MOR", "MOR") ERC20Capped(cap_) Ownable(msg.sender) {}
Prize pool breakdown
Total prize
22,500 USDC
nSLOC
1,05421 USDC / LOC
20,000 USDC
2,500 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.