Use of Non-Production-Ready Trusted Mint could lead to Token loss
Summary
The NativeMetaTransaction contract inherits from EIP712BaseContext thereby allowing meta-transactions to work with its functions. It relies on a trusted minter that is set in the constructor. The trusted minteer that it depends on is the mint, which is located in the External contract. However, the mint function is not ready for production use and is mainly meant for testing.
By using the mint function, Tokens could potentially be lost. In addition, the mint's signed requests do not expire and lack batching, which is useful when dealing with a large volume of requests to be forwarded.
Vulnerability Details
Reference point Function mint
Impact
Tokens could be potentially lost
Tools Used
Manual Review
Recommendations
Consider using OpenZeppelin's ERC20 instead. While this contract is not available until v5.0 is released, the source code can be obtained from the master branch and inserted into the codebase.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.