The contract exposes the mint
and burn
functions without proper access control or limitations on token supply, which poses a medium-risk vulnerability. These functions allow for potentially unrestricted token minting and burning, which could result in malicious manipulation of the token supply.
Root Cause:
The primary issue stems from the lack of restrictions on who can call the mint
and burn
functions. In a secure implementation of an ERC-20 token, these functions should be protected by access control modifiers (e.g., onlyOwner
or onlyMinter
) to prevent unauthorized users from minting or burning tokens arbitrarily.
Affected Functions:
mint
: This function allows the creation of new tokens. Without restrictions, any address can mint tokens.
burn
: This function allows the destruction of tokens. Similarly, without restrictions, a user could burn tokens they don’t own or burn too many tokens.
1. Inflationary Risk: If the mint function can be called by any address, it can lead to an excessive increase in the supply of tokens, thereby inflating the token’s value and destabilizing the stablecoin system.
2. Deflationary Risk: If the burn function is exploited by an attacker, tokens could be removed from circulation improperly, impacting liquidity and availability.
3. Loss of Trust: The lack of proper controls would undermine the trust in the decentralized stablecoin's economy, as users would not feel secure about the token’s stability and supply control.
Manual Code Review: The contract was manually analyzed for access control mechanisms on critical functions like mint
and burn
.
To mitigate this medium-risk vulnerability, the following steps are recommended:
Implement Access Control for Minting and Burning
Use a modifier (e.g., onlyOwner
) to restrict the ability to mint
and burn
tokens to only authorized addresses.
Code:
Add Restrictions on Burning
Similarly, the burn
function should ensure that only users who actually own the tokens they are trying to burn can execute it.
Code:
Ensure the Minter Role is Well-Defined
If there are multiple minters, implement role-based access control (RBAC) where only authorized accounts (such as minter addresses) can mint tokens.
Code:
Conclusion
The medium-risk vulnerability in this contract arises from the lack of access control on minting and burning operations. Implementing proper access restrictions and supply caps is essential to prevent malicious exploitation and ensure the stability of the decentralized stablecoin.
Link To File: https://github.com/Cyfrin/2024-12-algo-ssstablecoinsss/blob/main/src/decentralized_stable_coin.vy
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.