Project
One World
NFTDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

The `MINTER_ROLE` can mint all of the NFTs.

xmanuel

Summary

In the OWPIdentity.sol contract, the MINTER_ROLE can mint unrestricted amount of NFTs. This is more of a design issue than an actual bug in my opinion.

The issue should not be taken lightly because this attack is the leading attack in DeFi according to this statistic: https://x.com/_iphelix/status/1855855006219690233?t=KTQYuqICOMlKM0WWso91RA&s=19

function mint(address account, uint256 id, uint256 amount, bytes memory data)
public
onlyRole(MINTER_ROLE)
{
_mint(account, id, amount, data);
}
function mintBatch(address to, uint256[] memory ids, uint256[] memory amounts, bytes memory data)//
public
onlyRole(MINTER_ROLE)
{
_mintBatch(to, ids, amounts, data);
}

Vulnerability Details

If the private keys were compromised during the launch the attacker could mint almost all of the NFTs. Normally I wouldn't say this is an issue but from your documentation, I understand that you are not planning to use a multi-sig wallet for the owner of the contracts. I definitely don't want to say that you are incompetent and you can't store your private keys safely but private keys are getting compromised very often in this space.

Impact

Attacker could mint massive amounts of NFTs

Tools Used

Manual

Recommendations

Limit how many NFTs can the MINTER_ROLE mint. So even if the private keys were compromised the attacker couldn't destroy the entire set by minting thousands of the NFTs to himself making the entire set worth nothing.

I also think this will help with the trust of the protocol since the buyers will know exactly how many NFTs can the Dev Team mint for themselves.

Updates

Lead Judging Commences

0xbrivan2 Lead Judge 9 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.