IndexToken Mint can be Called by Anyone
Summary
The mint function for the IndexToken contract (found here) has no access control checks, so any user can call it to mint tokens without limit.
Vulnerability Details
The mint function is defined as follows:
As shown, anyone can call it with whatever to and amount values they want (unlessto is the 0 address or amount is enough to cause an overflow in the total supply).
Impact
According to the docs "The IndexToken is a basic ERC20 token implementation with minting capabilities, designed to represent index positions or shares in the RAAC protocol. It provides a simple and secure way to track ownership of index-based assets." As such, allowing anyone to mint their own allows someone to misrepresent their shares of the RAAC protocol.
Furthermore, the token is used by the NFTLiquidator when liquidating NFTs here. This call will revert if debt causes the total supply to exceed the max uint256. Thus, someone can cause a denial of service on liquidateNFT by minting exactly UINT256_MAX index tokens -- if this is the case, any NFT with a non-zero debt will not be able to be liquidated.
Tools Used
N/A
Recommendations
Add access control to mint as is appropriate. It seems like the only caller of mint for the IndexToken should be the NFTLiquidator contract, though obviously the full allowable set of callers depends on the intentions of the developers.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.