Omniscia Vector Finance Audit

ERC20 Manual Review Findings

ERC20 Manual Review Findings

ERC-01M: Overly Centralized Functionality

TypeSeverityLocation
Logical FaultMediumERC20.sol:L303-L305, L307-L309

Description:

The ERC20 implementation of the Vector Finance project permits the owner of the token to mint and burn token units arbitrarily and from any account.

Example:

contracts/utils/ERC20.sol
303function mint(address account, uint256 amount) external virtual onlyOwner {
304 _mint(account, amount);
305}
306
307function burn(address account, uint256 amount) external virtual onlyOwner {
308 _burn(account, amount);
309}

Recommendation:

We advise this functionality to be limited to a certain degree (i.e. burn operations should have an approval to the owner to be executed for a particular account) and we recommend the ownership structure to be depicted by in-line comments to better illustrate the centralization level of the token.

Alleviation:

Comments were introduced in the codebase that indicate the token will solely be owned by other contracts of the protocol such as MasterChief and MainStaking, thereby disallowing misuse of the functions.