`LoveToken::initVault` is susceptible to Oracle Manipulation resulting on misuse of token supply
Summary
LoveToken::initVault allows the airdropVault and stakingVault addresses to mint a large amount of tokens. Additionally, it does not have a mechanism to prevent it from being called multiple times by the airdropVault or stakingVault addresses.
Vulnerability Details
LoveToken::initVault sets an unlimited approval (500,000,000 ether) to LoveToken::managerContract. This could lead to risks if the contract is not secure or is malicious, as it would have the ability to transfer a large number of tokens on behalf of the airdropVault or stakingVault.
Impact
If these addresses are compromised, an attacker could mint a significant amount of tokens, potentially manipulating the token's value or conducting other malicious activities. This could lead to an unlimited minting of tokens, which would severely devalue the token and could be exploited.
Tools Used
Manual review with Audit Wizard
Recommendations
Implement rate limting to prevent the airdropVault or stakingVault addresses from calling LoveToken::initVault multiple times. Additionally, consider implementing a mechanism to prevent the airdropVault or stakingVault addresses from minting an unlimited amount of tokens.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.