Summary

The _canDistribute function is an internal checker invoked every time we try to mint TGLD to a staking contract in order to check if:

1. The minted amount is not 0

2. If the supply cap has been reached

However, the check for the reaching of the maximum supply is wrong and would allow for minting over the cap

Vulnerability Details

The current check is mintAmount != 0 && _totalDistributed + mintAmount == MAX_SUPPLY ? true : mintAmount >= MINIMUM_MINT, thus if we are minting more than zero and if we reach exactly the cap, we return true. Otherwise we check if we are over the minimum. The intention here is that in the scenario where the MAX is not reached, but the tokens left are less than the MINIMUM, we would still be able to mint.
However, the check as it is written would allow to mint over the max supply if:

1. the mint amount is non-zero

2. _totalDistributed + mintAmount > MAX_SUPPLY

3. mintAmount >= MINIMUM_MINT

Under these condition for example:

If we have a max of 100000, current supply is 95000, minimum of 5000 and we try to mint 10000 tokens, all of the above are true since 10000 is non-zero, the sum of the 2 values is 110000 and 10000 > 5000. Thus we will successfully mint tokens over the supply.

Impact

Broken invariant leads to more tokens being totally minted than intended

Tools Used

Manual Review

Recommendations

Imo the entire _canDistribute should be refactored.
The check for the 0 amount is fine, however the check should be if(_totalDistributed + mintAmount > MAX_SUPPLY) return (MAX_SUPPLY-_totalDistributed)

This new if condition at some point will start returning 0 as we will hit the maximum and the subtraction will be of 2 equal values, thus 0.