BriVault

First Flight #52

Beginner FriendlySolidity

100 EXP

View results

Previous Next

Submission Details

Impact: medium

Likelihood: medium

Invalid

Missing Access Control on Token Distribution After Mint

minionteechs

Root + Impact

Description

Normal behavior:
The mint() function creates new tokens and assigns them to the contract owner. These tokens are expected to be distributed fairly to users or used for liquidity, staking, or vault interactions.

Issue:
The contract does not implement any mechanism to control or track the distribution of newly minted tokens. The owner can mint to themselves and choose not to distribute or lock tokens, centralizing all supply and violating decentralization assumptions.

// Root cause in the codebase with @> marks to highlight the relevant section

@> function mint() public onlyOwner {

@> _mint(owner(), 10_000_000 * 1e18);

@> }

Risk

Likelihood:

The issue occurs whenever the owner executes mint() and retains full control over minted tokens without an enforced distribution schedule.
It can also occur when ownership is transferred to another address that behaves maliciously or hoards minted tokens.

Impact:

Token holders have no guarantee that new tokens will be distributed fairly or transparently.

The project’s tokenomics and trust model can collapse, as one actor holds the majority supply.

Proof of Concept

Explanation:
The owner repeatedly calls mint() and accumulates all supply without sharing or vesting. Users cannot verify or enforce fair token distribution.

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.24;

contract Exploit {

function simulateOwnerMint(address token) external {

BriTechToken(token).mint();

// Owner now holds all newly minted tokens

// No distribution or restriction enforced

}

Recommended Mitigation

Implement minting with transparent distribution and hard limits.

Explanation:
This ensures controlled minting with transparent recipients and enforces a maximum total supply cap, preventing misuse.

- remove this code

+ add this code

- function mint() public onlyOwner {

- _mint(owner(), 10_000_000 * 1e18);

- }

+ function mint(address to, uint256 amount) external onlyOwner {

+ require(totalSupply() + amount <= 10_000_000 * 1e18, "Max supply exceeded");

+ _mint(to, amount);

+ }

Updates

Appeal created

bube Lead Judge 20 days ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

193

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!