QA Report #33
Labels
bug
Something isn't working
duplicate
This issue or pull request already exists
QA (Quality Assurance)
Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Lines of code
https://github.com/code-423n4/2022-02-hubble/blob/main/contracts/VUSD.sol#L7
Vulnerability details
Impact
Same as code-423n4/2022-01-livepeer-findings#193
The VUSD contract inherits from the ERC20PresetMinterPauser contract
Using the mint() function of ERC20PresetMinterPauser, an address with MINTER_ROLE can mint an arbitrary amount of tokens.
If the private key of the deployer or an address with the MINTER_ROLE is compromised, the attacker will be able to mint an unlimited amount of VUSD tokens.
We believe this is unnecessary and poses a serious centralization risk.
Proof of Concept
https://github.com/code-423n4/2022-02-hubble/blob/main/contracts/VUSD.sol#L7
Tools Used
None
Recommended Mitigation Steps
Consider removing the MINTER_ROLE, make the VUSD only mintable by the owner, and make the MarginAccount contract to be the owner and therefore the only minter.
The text was updated successfully, but these errors were encountered: