Core Contracts
Regnum Aurum Acquisition Corp
HardhatReal World AssetsNFT
77,280 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Missing access control in IndexToken::mint() -anyone can call it and mint it.

sala1

Summary

While the NFTLiquidator contract’s call to indexToken.mint(...) is restricted by OnlyStabilityPool in NFTLiquidator itself, someone can directly call
the IndexToken contract’s mint function(IndexToken::mint()), which is external and has no built-in access control.

Noticed this while reviewing the contract StabilityPool

Impact

indexToken.mint(...)can be called directly. Below is function declaration showing the missing access control.

contract IndexToken is ERC20 {
constructor(string memory name, string memory symbol) ERC20(name, symbol) {}
error InvalidAddress();
function mint(address to, uint256 amount) external {
if (to == address(0)) revert InvalidAddress();
_mint(to, amount);
}
}

POC

A malicious user could bypass NFTLiquidator entirely and just do:

indexToken.mint(maliciousUser, 1_000_000e18);

Tools Used

Manual review

Recommendations

Access control can be added to the mint function itself. Example, onlyOwner, onlyMinter, or onlyLiquidator) so that arbitrary addresses cannot call it directly:

Updates

Lead Judging Commences

inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope
inallhonesty Lead Judge 4 months ago
Submission Judgement Published
Invalidated
Reason: Out of scope

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.