Potential breaching of the `MAX_SUPPLY` invariant during TGLD cross-chain transfers
Summary
A vulnerability in the TempleGold smart contract allows for the potential breach of the MAX_SUPPLY invariant due to inadequate checks during the minting process. Specifically, the function _canDistribute can permit distributions that exceed the maximum supply of TGLD tokens, posing a risk of over-minting.
Vulnerability Details
This function eventually gets called in the case where there is a need to distribute TGLD tokens. It includes a special logic to allow for the last attempt of minting to directly equal MAX_SUPPLY, which means that at the final attempt, there is no problem if the mintAmount is less than the MINIMUM_MINT. The issue, however, is that the max supply invariant could be breached, because in the case where mintAmount is massive and would make us now pass the value for MAX_SUPPLY, there is no check to stop this.
Impact
A subtle invariant is broken, allowing more than the MAX_SUPPLY to be distributed for TGLD tokens.
Tools Used
Manual review
Recommendations
Introduce a check to ensure that the amount of tokens to be distributed does not exceed the MAX_SUPPLY.
Lead Judging Commences
`_canDistribute` could return a result breaking the MAX TOTAL SUPPLY of TGLD
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.