Omniscia Vector Finance Audit
ERC20 Manual Review Findings
ERC20 Manual Review Findings
ERC-01M: Overly Centralized Functionality
Type | Severity | Location |
---|---|---|
Logical Fault | Medium | ERC20.sol:L303-L305, L307-L309 |
Description:
The ERC20
implementation of the Vector Finance project permits the owner of the token to mint
and burn
token units arbitrarily and from any account.
Example:
contracts/utils/ERC20.sol
303function mint(address account, uint256 amount) external virtual onlyOwner {304 _mint(account, amount);305}306
307function burn(address account, uint256 amount) external virtual onlyOwner {308 _burn(account, amount);309}
Recommendation:
We advise this functionality to be limited to a certain degree (i.e. burn
operations should have an approval to the owner to be executed for a particular account) and we recommend the ownership structure to be depicted by in-line comments to better illustrate the centralization level of the token.
Alleviation:
Comments were introduced in the codebase that indicate the token will solely be owned by other contracts of the protocol such as MasterChief and MainStaking, thereby disallowing misuse of the functions.