Was this helpful?
Submitted on Jan 23rd 2025 at 15:35:01 UTC by @kenzo for
Report ID: #39153
Report Type: Smart Contract
Report severity: Insight
Target: https://github.com/immunefi-team/audit-comp-butter-cfm-v1-playmoney
Impacts:
Protocol insolvency
Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
The PlayCollateralTokenFactory contract contains a critical vulnerability in its createCollateralToken function that allows any user to create tokens with arbitrary supply and gain full control over token transfers. This bypasses the intended restrictive nature of the token contract where only specific addresses should be able to send/receive tokens.
The vulnerability exists in the createCollateralToken function of the PlayCollateralTokenFactory contract:
The vulnerability arises because:
Any address can call createCollateralToken
The caller can specify any amount for initialSupply
The caller can make themselves the owner
As owner, they gain full control over token transfers
Attack scenario:
Attacker calls createCollateralToken with themselves as owner
Attacker creates massive supply of tokens
Being the owner, attacker can now transfer tokens to any address
This bypasses the intended restriction where only owner or ConditionalTokens should control transfers.
As stated in PlayCollateralToken.sol, this is a restrictive ERC20 for "play money": only the owner or ConditionalTokens can send or receive tokens. However, due to this vulnerability:
Any address can create new tokens with themselves as owner
They can mint arbitrary amounts of tokens
As owner, they gain full transfer rights, bypassing the intended restrictions
This completely breaks the token's security model where transfers should be restricted
Add access control to the createCollateralToken function to ensure only authorized addresses can create new tokens.
Add this to PlayCollateralTokenFactoryTest.t.sol
