Token-0x
First Flight #54
Beginner FriendlyDeFi
100 EXP
View all submissions
Previous Next
Submission Details
Impact: high
Likelihood: high

No Access Control Mechanism for the Mint and Burn Functions

Author Revealed upon completion

Burn & Mint Functions open to public call access, No check for user balance before burning token

Description

  • The functions mint(), burn() should have restricted access to the deployer of contract or specific addresses, and the burn function should revert if the specified value to burn exceeds the account balance

  • 1. The Burn and Mint functions do not have access control checks
    2. The Burn function has no check for the value specified against the balance of the account, to revert if value is large

Risk

Likelihood:

  • Attacker can exploit the mint function when they call the mint function specifying their own address

  • Attacker can exploit the burn function when they call the mint function specifying an address with a value higher than the Balance available for that address

Impact:

  • Attacker generates value for themselves out of thin air and exchange it on Exchanges for relative value in other tokens

Proof of Concept

Token 2 Contract
Step 1 (Attacker calls this method)
function mint(address account, uint256 value) public {
_mint(account, value);
}
Step 2 (Method mint() calls _mint) [No checks for access rights]
function _mint(address account, uint256 value) internal {
.....
}
Step 3
Attacker obtains tokens in their address

Recommended Mitigation

- remove this code
+ add this code
contract Token2 is ERC20 {
address immutable private Owner;
constructor() ERC20("Token", "TKN") {
Owner = msg.sender;
}
function mint(address account, uint256 value) public {
require(msg.sender == Owner,"Not Authorized");
_mint(account, value);
}
function burn(address account, uint256 value) public {
require(msg.sender == Owner,"Not Authorized");
_burn(account, value);
}
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!