Maximum supply cap is not immutable
Description
While the design requirements of the contracts include the ability for Chirp to define and change the issuance schedule and distribution policy of the $CHIRP tokens, they also specify that the maximum token supply should be decided and immutable.
The current version of the code contains safeguards preventing a change to the schedule configuration from minting an amount greater than the maximum supply value. Specifically, in treasury.mint::mint_entry
, the check assert!(amount <= (max_supply - coin::total_supply(cap)), EMintLimitReached);
prevents the contract from minting more than the configured maximum supply.
The maximum supply value is configured at deployment time and stored in the Treasury
object.
We note that it is possible to bypass the maximum supply cap by upgrading the contracts.
Impact
This issue is reported as informational as we consider the current implementation to reflect the intended design.
Recommendations
The Sui Coin module does not allow to set a limit to the amount of Coins that can be minted by a SupplyCap
. Given the current limitations of the Sui Coin module, all possible solutions to strictly enforce a maximum supply require relatively invasive code changes.
One possible design is minting the entire supply at the time the Coin is created, and storing the Coins in a contract which distributes them over time according to the schedule.
Alternatively, the SupplyCap
could be handed to a non upgradable contract that manages it according to a policy that cannot be changed after deployment.
Remediation
Chirp Network acknowledged this potential issue and opted to not address it via code changes to the modules. They declared their intent to entrust the capability to upgrade modules to the community via a governance vote, to ensure stakeholders have the opportunity to decide on possible future maximum supply changes.