Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

`MINTER_ROLE` can be granted by the deployer of ERC1155 token and mint arbitrary amount of tokens

xmanuel

Summary

function mint(address account, uint256 id, uint256 amount, bytes memory data)
public
onlyRole(MINTER_ROLE)
{
_mint(account, id, amount, data);
}
function mintBatch(address to, uint256[] memory ids, uint256[] memory amounts, bytes memory data)//
public
onlyRole(MINTER_ROLE)
{
_mintBatch(to, ids, amounts, data);
}

Vulnerability Details

Using the mint( ) and mintBatch( ) functions of ERC1155 token, an address with MINTER_ROLE can burn an arbitrary amount of tokens.

If the private key of the deployer or an address with the MINTER_ROLE is compromised, the attacker will be able to mint an unlimited amount of erc1155 tokens. I believe this is unnecessary and poses a serious centralization risk.

Impact

The MINTER_ROLE could mint excessive amounts of ERC1155 tokens

Tools Used

manual

Recommendations

Consider removing the MINTER_ROLE, make the ERC1155 token only mintable by the owner, and make the OWPIdentity contract to be the owner and therefore the only minter.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Out of scope
0xbrivan2 Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Out of scope

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!