#46326 [SC-Medium] Incorrect Minting Cap Check in Minting Process

Submitted on May 28th 2025 at 12:17:07 UTC by @aman for Audit Comp | Flare | FAssets

• Report ID: #46326

• Report Type: Smart Contract

• Report severity: Medium

• Target: https://github.com/flare-foundation/fassets/blob/main/contracts/assetManager/library/Minting.sol

• Impacts:

  • Contract fails to deliver promised returns, but doesn't lose value

Description

Brief/Intro

The checkMintingCap function in Minting.sol only checks the valueAMG against the minting cap, but the actual minting process adds both valueAMG and poolFeeAMG to the agent's minted amount. This discrepancy allows the total minted amount to exceed the intended minting cap.

Vulnerability Details

The vulnerable code is in Minting.sol:

/fassets/contracts/assetManager/library/Minting.sol:75
 75:     function selfMint(
 76:         IPayment.Proof calldata _payment,
 77:         address _agentVault,
 78:         uint64 _lots
 79:     )
 80:         internal
 81:     {
.....
 90:         require(collateralData.freeCollateralLots(agent) >= _lots, "not enough free collateral");
 91:         uint64 valueAMG = _lots * Globals.getSettings().lotSizeAMG;
 92:         checkMintingCap(valueAMG); <----@
107:         if (_lots > 0) {
108:             _performMinting(agent, MintingType.SELF_MINT, 0, msg.sender, valueAMG, receivedAmount, poolFeeUBA);
109:         } else {

_performMinting function :

Here we only check the valueAMG not the Fee which will also be added to agent.mintedAMG

Impact Details

• Severity: Low

• Impact: Allows total minted amount to exceed the minting cap by the amount of pool fees

• Scope: Affects all minting operations in the system either via reserveCollateral, mintFromFreeUnderlying and selfMint

References

• File: contracts/assetManager/library/Minting.sol

• Function: checkMintingCap

• Function: _performMinting

1. Fix the minting cap check to include pool fees:

1. Update all calls to checkMintingCap to include pool fees

Proof of Concept

Proof of Concept

1. The MintingCapAMG is set to 1000.

2. An agent attempts to mint valueAMG of 1000.

3. The PoolFeeAMG is calculated as 100 (10% of the minting amount).

4. The code only checks the valueAMG against the minting cap, so the check require(totalAMG + _increaseAMG <= mintingCapAMG, "minting cap exceeded") passes because 0 + 1000 <= 1000.

5. After the check, the system increases the agent's mintedAMG by _valueAMG, where _valueAMG = valueAMG + feeAMG.

6. The final value of agent.MintedAMG becomes 1100 (1000 + 100).

This demonstrates that despite the minting cap being set to 1000, the agent successfully minted 1100 AMG, exceeding the intended cap by 100 AMG. For simplicity, decimal and dust calculations have been ignored in this example.