Algo Ssstablecoinsss

First Flight #30
Beginner FriendlyDeFi
100 EXP
View results
Submission Details
Severity: medium
Invalid

Mint and burn functions are potentially unprotected, allowing for abuse.

Summary

The contract exposes the mint and burn functions without proper access control or limitations on token supply, which poses a medium-risk vulnerability. These functions allow for potentially unrestricted token minting and burning, which could result in malicious manipulation of the token supply.

Vulnerability Details

Root Cause:
The primary issue stems from the lack of restrictions on who can call the mint and burn functions. In a secure implementation of an ERC-20 token, these functions should be protected by access control modifiers (e.g., onlyOwner or onlyMinter) to prevent unauthorized users from minting or burning tokens arbitrarily.

Affected Functions:

mint: This function allows the creation of new tokens. Without restrictions, any address can mint tokens.
burn: This function allows the destruction of tokens. Similarly, without restrictions, a user could burn tokens they don’t own or burn too many tokens.

Impact

1. Inflationary Risk: If the mint function can be called by any address, it can lead to an excessive increase in the supply of tokens, thereby inflating the token’s value and destabilizing the stablecoin system.

2. Deflationary Risk: If the burn function is exploited by an attacker, tokens could be removed from circulation improperly, impacting liquidity and availability.

3. Loss of Trust: The lack of proper controls would undermine the trust in the decentralized stablecoin's economy, as users would not feel secure about the token’s stability and supply control.

Tools Used

Manual Code Review: The contract was manually analyzed for access control mechanisms on critical functions like mint and burn.

Recommendations

To mitigate this medium-risk vulnerability, the following steps are recommended:

  1. Implement Access Control for Minting and Burning
    Use a modifier (e.g., onlyOwner) to restrict the ability to mint and burn tokens to only authorized addresses.

Code:

from snekmate.auth import ownable as ow
# Add modifier to restrict minting/burning access
def onlyOwner(func):
def wrapper(self, *args, **kwargs):
if not self.isOwner():
raise Exception("Only the owner can mint or burn")
return func(self, *args, **kwargs)
return wrapper
# Apply onlyOwner modifier to mint and burn functions
@onlyOwner
def mint(self, amount):
# Mint logic here
@onlyOwner
def burn(self, amount):
# Burn logic here
  1. Add Restrictions on Burning
    Similarly, the burn function should ensure that only users who actually own the tokens they are trying to burn can execute it.

Code:

def burn(self, amount):
if self.balanceOf(msg.sender) < amount:
raise Exception("Insufficient balance to burn")
# Burn logic here
  1. Ensure the Minter Role is Well-Defined
    If there are multiple minters, implement role-based access control (RBAC) where only authorized accounts (such as minter addresses) can mint tokens.
    Code:

def setMinter(self, newMinter):
if msg.sender != self.owner:
raise Exception("Only owner can set minter")
self.minter = newMinter

Conclusion
The medium-risk vulnerability in this contract arises from the lack of access control on minting and burning operations. Implementing proper access restrictions and supply caps is essential to prevent malicious exploitation and ensure the stability of the decentralized stablecoin.

Link To File: https://github.com/Cyfrin/2024-12-algo-ssstablecoinsss/blob/main/src/decentralized_stable_coin.vy

Updates

Lead Judging Commences

bube Lead Judge 6 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.