Upgraded Q -> M from 36 [1655654413719]

Judge has assessed an item in Issue #36 as Medium risk. The relevant finding follows:

Allows owner to mint more tokens than planned

There are two ways for the owner of the contract to mint tokens for themselves unrelated to the public sale:

• through the teamSummon() function
• or by setting the minter to their own address with setMinter() and then minting through mint()

In both cases there’s only one limiting factor. The max supply set to 16000.
Technically, the owner is able to mint all 16000 for themselves. But, you obviously wouldn’t do that. There’s no value in it.
In the README it says that the owner is supposed to get about ~709 tokens distributed accross multiple parties.

I’d advise to set strict limits in the code to only allow the specified mints for the owner instead of having a general mint function for owners. It builds trust with your users and protects you from accidentally minting too many.

One easy approach would be to keep track of tokens minted by the owner and set a limit to teamSummon() like this:

function teamSummon(address recipient, uint256 count) external onlyOwner {
    require(ownerMints + count <= 709);
    ownerMints += count;
    require(address(recipient) != address(0), 'address req');
    for (uint256 i = 0; i < count; i++) {
        _mint(recipient);
    }
}  

The text was updated successfully, but these errors were encountered:

All reactions