Beatland Festival
First Flight #44
Beginner FriendlyFoundrySolidityNFT
100 EXP
View results
Previous Next
Submission Details
Impact: medium
Likelihood: medium
Invalid

Unrestricted Minting Without Max Supply Cap Allows Token Inflation

gurmeetkalyan

Root + Impact

Description

  • The mint() function allows the festivalContract to mint tokens to any address. However, there is no cap or maximum supply limit enforced in the BeatToken contract.

  • This unrestricted minting can lead to inflation, devaluation of the token, or loss of trust among users and investors. A malicious or compromised festivalContract can mint unlimited tokens, diluting the circulating supply.

function mint(address to, uint256 amount) external {
require(msg.sender == festivalContract, "Only_Festival_Mint");
@> _mint(to, amount); <@
}

Risk

Likelihood:

  • Occurs whenever the festivalContract chooses to mint an arbitrary number of tokens.

  • There are no constraints in the smart contract code preventing over-minting.

Impact:

  • Total supply of tokens can be manipulated by the festivalContract.

  • Token holders' balances can be diluted, reducing trust and token value.

Proof of Concept

// Festival contract calls this repeatedly
beatToken.mint(attackerAddress, 1_000_000 * 1e18);
// No cap check will allow infinite minting

Recommended Mitigation

- _mint(to, amount);
+ require(totalSupply() + amount <= MAX_SUPPLY, "Cap exceeded");
+ _mint(to, amount);

Also add at the top of the contract:

uint256 public constant MAX_SUPPLY = 1_000_000_000 * 1e18;
Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 month ago
Submission Judgement Published
Invalidated
Reason: Lack of quality

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.