★ Admin has mint() with unlimited max
StakeWise v3's assessment for RD-F-042 — scored red on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.
Evidence summary #
[★ CRITICAL] OsToken.sol mint(address account, uint256 value) is callable by authorized controllers. No supply cap exists. DAO Treasury Safe (4-of-7) owns OsToken and can call setController() to authorize any address (including itself) to mint unlimited osETH immediately, with no timelock. This power was exercised in November 2025 (Balancer exploit recovery: burned hacker osETH, minted identical amount to DAO wallet). Emergency controller functionality has NOT been formally removed on-chain as of 2026-05-16 — no confirmed SWIP executing revocation found.
Sources #
- GitHubOsToken.sol — GitHub stakewise/v3-coreOsToken.sol constructor: no maxSupply or cap parameter; mint(address,uint256) has onlyController modifier with no supply limitretrieved 2026-05-16
- Balancer hacker loses $20M — DL NewsDL News: DAO used loophole to burn hacker tokens and mint equivalent — confirms unlimited mint capability via controller grantretrieved 2026-05-16
- OsToken readContract | EtherscanOsToken 0xf1C9acDc66974dFB6dEcB12aA385b9cD01190E38 — owner() = DAO Safe; no cap/maxSupply function exposedretrieved 2026-05-16
Methodology #
Determine whether an admin-callable `mint` on a protocol token has no supply cap or an unlimited maximum supply.
See the full factor methodology and distribution across all protocols →