102.md

Wobbly Umber Haddock

High

An attacker can frontrun Minter.initialize(), give AMO_ROLE to a contract they control, and mint unlimited BOOST tokens.

Summary

An attacker can frontrun Minter.initialize(), give AMO_ROLE to a contract they control, and mint unlimited BOOST tokens.

Root Cause

In Minter.sol:initialize(), there is no access control on the function call, allowing anyone to call it first by frontrunning.

It gives the msg.sender the DEFAULT_ADMIN_ROLE, granting them the ability to call AccessControlUpgradeable.grantRole() and gives a contract they control the AMO_ROLE needed to mint BOOST tokens with Minter.protocolMint().

Internal pre-conditions

1. Either the Minter contract needs to be deployed but not yet initialized
2. Or the Minter contract needs to be deployed and initialized in 2 different transactions

External pre-conditions

No response

Attack Path

1. Attacker monitors the mempool for the initialize transaction from the legitimate deployer.
2. Attacker frontruns this transaction with their own call to initialize, setting themselves as the admin.
3. Attacker grants a contract they control the AMO_ROLE to bypass the onlyContract modifier.
4. Attacker calls protocolMint to mint unlimited BOOST tokens.

Impact

The BOOST token holders suffer a complete loss of token value due to unlimited minting. The attacker gains the ability to mint an unlimited amount of BOOST tokens, effectively controlling the entire token supply and rendering the token worthless.

PoC

No response

Mitigation

No response