Polite Vanilla Sloth
Medium
The funtion removes an address from whitelist.The vulnerability arises with the ability of malicious minter to quickly mint tokens after observing the transaction from the owner to remove in the mempool.The actor uses a higher gas fee than the owner therefore their transaction is mined first defeating the purpose of the function.
Frontrunning possible in https://github.com/sherlock-audit/2024-12-numa-audit/blob/main/Numa/contracts/NumaProtocol/NumaMinter.sol#L58
Loss of funds and arbitrary unauthorized minting
- owner sends a transaction to remove bob from whitelist
removeFromMinter(address(Bob)) - Bob sees the transaction and
mintsall tokens available from total supply.
Implement a lock modifier for the NumaMinter contract.where funtion is only callable by owner and is required for mint to be called. This will eliminate the risk posed by front running.
bool private locked;
modifier whileNotLocked() {
require(!locked, "Contract is locked");
_;
}
function setLock(bool _locked) external onlyOwner {
locked = _locked;
}
function mint(address to, uint256 amount) external onlyMinters whileNotLocked{
require(address(numa) != address(0), "token address invalid");
numa.mint(to, amount);
}- whileNotLocked