New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
In ERC20
, TotalSupply
is broken
#108
Comments
The explanation is not clear. We can't seem to reproduce this issue as we can't find a scenario where the |
@tkkwon1998 to clarify: Deploy the ERC20 with Then Then if someone mints 1000 tokens, there is 1000 tokens in the market but due to |
I believe the submission could have benefitted by:
However the finding is ultimately true in that, because For this reason, I believe the finding to be valid and High Severity to be appropriate. I recommend the warden to err on the side of giving too much information to avoid getting their finding invalidated incorrectly |
After further thinking, I still believe the finding is of high severity as the ERC20 standard is also broken, I do believe the submission could have been better developed, however, I think High is in place here |
Lines of code
https://github.com/Plex-Engineer/lending-market/blob/ab31a612be354e252d72faead63d86b844172761/contracts/ERC20.sol#L33
https://github.com/Plex-Engineer/lending-market/blob/ab31a612be354e252d72faead63d86b844172761/contracts/ERC20.sol#L95
Vulnerability details
Impact
For an obscure reason as it’s not commented,
_totalSupply
is not initialized to 0, leading to an inaccurate total supply, which could easily break integrations, computations of market cap, etc.Proof of Concept
If the constructor is called with
_initialSupply = 1000
, then1000
tokens are minted. The total supply will be2000
.Recommended Mitigation Steps
Remove
_initialSupply
.The text was updated successfully, but these errors were encountered: