Raisebox Faucet
First Flight #50
Beginner FriendlySolidity
100 EXP
View all submissions
Previous Next
Submission Details
Impact: high
Likelihood: high

Unlimited Token Minting by Owner

Author Revealed upon completion

Root + Impact

Description

  • The contract allows the owner to mint an arbitrary number of tokens without restriction using the mintFaucetTokens() function.
    This means the total supply can be inflated infinitely, undermining the token’s intended scarcity or value.

    function mintFaucetTokens(address to, uint256 amount) external onlyOwner {
    @> _mint(to, amount); // no max supply or cap check
    }

    This deviates from standard ERC20 design, where most tokens define a MAX_SUPPLY limit or enforce strict minting schedules.// Root cause in the codebase with @> marks to highlight the relevant section

Risk

Likelihood:

  • The owner can mint unlimited tokens at any time.

  • No checks or limits prevent over-minting.

Impact:

  • Holders’ token balances can be diluted.

  • Faucets or users relying on token scarcity may lose trust or utility value.

Proof of Concept

// Owner can repeatedly call this
mintFaucetTokens(owner, 10_000_000 ether);
mintFaucetTokens(owner, 999_999_999 ether);
The total supply will keep increasing indefinitely.

// Owner can repeatedly call this
mintFaucetTokens(owner, 10_000_000 ether);
mintFaucetTokens(owner, 999_999_999 ether);

Recommended Mitigation

+ uint256 public constant MAX_SUPPLY = 1_000_000 ether;
function mintFaucetTokens(address to, uint256 amount) external onlyOwner {
- _mint(to, amount);
+ require(totalSupply() + amount <= MAX_SUPPLY, "Exceeds max supply");
+ _mint(to, amount);
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.