Summary

In the MOR token the modifier for minting tokens is onlyOwner instead of the Layer 2 Message receiver, this is a role collision.

Vulnerability Details

In MOR.sol the modifier for minting tokens is set from Oppenzeppilins only owner contract, which means that the owner role is in charge of minting tokens. Although the owner is trusted, and could transfer the role to the L2MessageReciever, this should not be the case as the only contract with the role of minting tokens is the L2MessageReceiver and the modifier should explicitly reflect this role , without giving it to the owner.

Impact

Protocol rewards cannot be claimed until the owner sets this role.
The use of Oppenzeppelins ownable remains redundant.
The collision of roles may not be clear to protocol owners.
This owner is trusted, but not with this role and that should be reflected in the protocol.

Tools Used

Manual Review

Recommendations

I would recommend a modifier be set that is named onlyL2MessageReceiver and the L2MessageReceiver address is passed on construction, also with an external function to set the L2MessageReceiver address that has the only owner modifier.