C4 audit report - VTVL contest
I participated in the VTVL contest from September 20, 2022 to September 23, 2022. I will explain my first medium report as a smart contract auditor. You can read the full audit report here.
The VTVL protocol allows users to generate and deploy token vesting smart contracts through their platform.
Medium severities: 1
Max supply limit for the VariableSupplyERC20Token contract could be bypassed.
Severity: medium
The project has an ERC20 contract that allows minting at will. You can see the next code:
1 | /** |
If maxSupply was assigned different to 0, the mint function should limit the token creation. Comment in the code says:
1 | @param maxSupply_ - What's the maximum supply. The contract won't allow minting over this amount. Set to 0 for no limit. |
Impact
The problem is that even when the maxSupply was assigned different to 0, the restriction was ignored in the mint function because the function will reduce the mintableSupply until 0 and zero also means “no limit”.
An unlimited supply will make the token inflationary, behavior that is not correct if the creator setting up the max supply.
Proof of concept
1 | from brownie import VariableSupplyERC20Token, accounts |
Recommended Mitigation
Consider a standard implementation https://docs.openzeppelin.com/contracts/2.x/erc20-supply#fixed-supply