Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

`MINTER_ROLE` can be granted by the deployer of ERC1155 token and mint arbitrary amount of tokens

xmanuel

Summary

function mint(address account, uint256 id, uint256 amount, bytes memory data)
public
onlyRole(MINTER_ROLE)
{
_mint(account, id, amount, data);
}
function mintBatch(address to, uint256[] memory ids, uint256[] memory amounts, bytes memory data)//
public
onlyRole(MINTER_ROLE)
{
_mintBatch(to, ids, amounts, data);
}

Vulnerability Details

Using the mint( ) and mintBatch( ) functions of ERC1155 token, an address with MINTER_ROLE can burn an arbitrary amount of tokens.

If the private key of the deployer or an address with the MINTER_ROLE is compromised, the attacker will be able to mint an unlimited amount of erc1155 tokens. I believe this is unnecessary and poses a serious centralization risk.

Impact

The MINTER_ROLE could mint excessive amounts of ERC1155 tokens

Tools Used

manual

Recommendations

Consider removing the MINTER_ROLE, make the ERC1155 token only mintable by the owner, and make the OWPIdentity contract to be the owner and therefore the only minter.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope
0xbrivan2 Lead Judge 7 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.