NFT Dealers
First Flight #58
Beginner FriendlyFoundry
100 EXP
View all submissions
Previous Next
Submission Details
Impact: high
Likelihood: high

Unrestricted Mint Enables Arbitrary Payment Forgery & Marketplace Drain

Author Revealed upon completion

Root + Impact

Description

  • Under normal behavior, the ERC20 token used for payments must enforce strict minting controls so users can only spend legitimately acquired funds.

MockUSDC allows any address to mint arbitrary token amounts, enabling attackers to fabricate unlimited balance and purchase NFTs or extract marketplace value without real cost.

// @> Anyone can mint unlimited tokens
function mint(address to, uint256 amount) external {
_mint(to, amount);
}

Risk

Likelihood:

  • Occurs whenever MockUSDC is used outside a strictly controlled test environment.

Happens during normal mint calls with no access restrictions.

Impact:

  • Attacker can mint unlimited funds and buy NFTs for free.

Marketplace economic guarantees are completely broken.

Proof of Concept

// Attacker mints fake USDC
mockUSDC.mint(attacker, 1_000_000e6);
// Attacker buys NFT without real cost
dealers.buy(tokenId);

Recommended Mitigation

  • Restrict minting to a privileged role

Explicitly mark token as test-only

- remove this code
+ add this code
+address public minter;
+ modifier onlyMinter() {
+ require(msg.sender == minter, "Not authorized");
+ _;
+}
+ function mint(address to, uint256 amount) external onlyMinter {
+ _mint(to, amount);
+}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!