Submission Details
Severity:
Too much access control to given to minter role.
Summary
Too much access control to given to minter role. As we can see we can mint or burn any token with this access so it become very powerful with this access.
Vulnerability Details
https://github.com/Cyfrin/2024-11-one-world/blob/main/contracts/OWPIdentity.sol#L31C4-L70C1
@>>function mint(address account, uint256 id, uint256 amount, bytes memory data)
public
onlyRole(MINTER_ROLE)
{
_mint(account, id, amount, data);
}
@>>function mintBatch(address to, uint256[] memory ids, uint256[] memory amounts, bytes memory data)
public
onlyRole(MINTER_ROLE)
{
_mintBatch(to, ids, amounts, data);
}
function burn(address account, uint256 id, uint256 amount)
public override
onlyRole(MINTER_ROLE)
{
_burn(account, id, amount);
}
function burnBatch(address to, uint256[] memory ids, uint256[] memory amounts)
public override
onlyRole(MINTER_ROLE)
{
_burnBatch(to, ids, amounts);
}
function burnBatchMultiple(address[] memory tos, uint256[] memory ids, uint256[] memory amounts)
public
onlyRole(MINTER_ROLE)
{
require(tos.length == ids.length, "Invalid input");
require(amounts.length == ids.length, "Invalid input");
for(uint256 i = 0; i < tos.length; i++){
_burn(tos[i], ids[i], amounts[i]);
}
}
Impact
with too much access control to be given to minter role. As we can see we can mint or burn any token with this access.
Tools Used
Recommendations
do some different access control.
Prize pool breakdown
Total prize
15,000 USDC
nSLOC
54128 USDC / LOC
14,000 USDC
1,000 USDC
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.