C4 audit report - VTVL contest
I participated in the VTVL contest from September 20, 2022 to September 23, 2022. I will explain my first medium report as a smart contract auditor. You can read the full audit report here.
The VTVL protocol allows users to generate and deploy token vesting smart contracts through their platform.
Medium severities: 1
Max supply limit for the VariableSupplyERC20Token contract could be bypassed.
The project has an ERC20 contract that allows minting at will. You can see the next code:
If maxSupply was assigned different to 0, the mint function should limit the token creation. Comment in the code says:
@param maxSupply_ - What's the maximum supply. The contract won't allow minting over this amount. Set to 0 for no limit.
The problem is that even when the maxSupply was assigned different to 0, the restriction was ignored in the mint function because the function will reduce the mintableSupply until 0 and zero also means “no limit”.
An unlimited supply will make the token inflationary, behavior that is not correct if the creator setting up the max supply.
Proof of concept
from brownie import VariableSupplyERC20Token, accounts
Consider a standard implementation https://docs.openzeppelin.com/contracts/2.x/erc20-supply#fixed-supply