[NAZ-M9] isMinter
Can Be Granted By The Deployer Of StableToken
And Mint/Burn Arbitrary Amount Of Tokens
#598
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-377
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/StableToken.sol#L9
https://github.com/code-423n4/2022-12-tigris/blob/main/contracts/StableToken.sol#L38
Vulnerability details
Impact
If the private key of the deployer or an address in the
isMinter
mapping is compromised, the attacker will be able to mint/burn an unlimited amount of tigUSD tokens.Tools Used
Manual Review
Recommended Mitigation Steps
Consider removing the
isMinter
mapping making tigUSD only mintable by the owner, and make thestableToken.sol
contract to be the owner and therefore the only minter.The text was updated successfully, but these errors were encountered: