NFT Dealers
First Flight #58
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

Lack of Access Control in `MockUSDC::mint`

etherengineer

Root + Impact

Description

  • Normal Behavior: A minting function for a stablecoin or collateral token should be restricted to a centralized authority (Owner/Minter role) or a specific set of logic to maintain a controlled supply and simulate a real-world environment.


  • Specific Issue: The mint function in the MockUSDC contract is external and lacks any access control modifiers (like onlyOwner). This allows any address, including malicious actors or unauthorized contracts, to mint an infinite amount of USDC to themselves.

function mint(address to, uint256 amount) external {
// No access control
_mint(to, amount);
}

Risk

Likelihood:

  • This can be called anytime to drain the protocol

Impact:

  • Loss of funds

Proof of Concept

Paste this test functon in NFTDealersTest

function test_anyoneCanMintUsdc() public {
address randomUser = makeAddr("randomUser");
usdc.mint(randomUser, 1000e6);
assertEq(usdc.balanceOf(randomUser), 1000e6);
}

Recommended Mitigation

Add an Ownable pattern to the contract to ensure that only the deployer can distribute tokens.

Updates

Lead Judging Commences

rubik0n Lead Judge 16 days ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Invalid

Appeal created

etherengineer Submitter
15 days ago
rubik0n Lead Judge 8 days ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

Invalid

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!