BriVault

First Flight #52

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Unlimited Owner Minting Capability Leading to Centralization Risk and Potential Inflation Attack

comfortnurse021

Root + Impact

Description

The BriTechToken contract implements a standard ERC20 token with proper access control using OpenZeppelin's Ownable pattern
The mint() function allows the contract owner to create unlimited tokens without any supply cap, creating significant centralization and economic risk
https://github.com/CodeHawks-Contests/2025-11-brivault/blob/1f515387d58149bf494dc4041b6214c2546b3b27/src/briTechToken.sol#L11
contract BriTechToken is ERC20, Ownable {
constructor() ERC20("BriTechLabs", "BTT") Ownable(msg.sender) {}
function mint() public onlyOwner {
_mint(owner(), 10_000_000 * 1e18); // @> Unlimited minting capability with no supply constraints
}
}

Risk

Likelihood:

The owner can execute the mint function multiple times without restrictions
No maximum supply validation prevents repeated minting operations

Impact:

Unlimited token supply inflation leading to complete devaluation of holder assets
Destruction of token economic model and loss of investor confidence

Proof of Concept

function testUnlimitedMinting() public {

// Setup: Deploy contract and get owner address

address owner = address(this);

BriTechToken token = new BriTechToken();

// Initial state verification

assertEq(token.totalSupply(), 0, "Initial supply should be zero");

// Attack simulation: Owner mints multiple times

token.mint(); // First mint: 10,000,000 tokens

assertEq(token.totalSupply(), 10_000_000 * 1e18, "Supply after first mint");

token.mint(); // Second mint: 20,000,000 total tokens

assertEq(token.totalSupply(), 20_000_000 * 1e18, "Supply after second mint");

token.mint(); // Third mint: 30,000,000 total tokens

assertEq(token.totalSupply(), 30_000_000 * 1e18, "Supply after third mint");

// The owner can continue this indefinitely...

// token.mint(); // 40,000,000 tokens

// token.mint(); // 50,000,000 tokens

}

explanation. This PoC demonstrates the core issue - the mint() function can be called repeatedly by the owner, increasing the total supply without bounds

Recommended Mitigation

contract BriTechToken is ERC20, Ownable {

- constructor() ERC20("BriTechLabs", "BTT") Ownable(msg.sender) {}

+ constructor() ERC20("BriTechLabs", "BTT") Ownable(msg.sender) {

+ // Mint fixed total supply once during deployment

+ _mint(msg.sender, 100_000_000 * 10**decimals());

+ }

- function mint() public onlyOwner {

- _mint(owner(), 10_000_000 * 1e18);

- }

}

This approach completely eliminates the vulnerability by removing the minting capability entirely. The total supply is fixed at deployment, providing predictable tokenomics that users can trust

Updates

Appeal created

bube Lead Judge 16 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

193

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!