defirisk.co
rubric v1.7.0

Admin has mint() with unlimited max

Axelar Network's assessment for RD-F-042 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

Gateway mints bridged wrapped tokens via validator-set authorized commands (≥2/3 quorum). setTokenMintLimits() callable by mintLimiter (Multisig 3-of-6, no additional timelock) to set per-token per-6h transfer caps. The mint authority is the validator quorum (strong), but the Multisig can reset mintLimits to any value without timelock. No traditional admin-only mint(uint256) function found on ITS or gateway. mintLimits act as a secondary circuit breaker that the Multisig can adjust.

Sources #

  • GitHub
    AxelarGateway.sol — GitHubAxelarGateway.sol: setTokenMintLimits() callable by mintLimiter role; upgrade() gated by governanceretrieved 2026-05-17
  • Docs
    Axelar Security Model — DocsAxelar security docs: rate limiting on gateways — mintLimiter controls per-asset per-window capsretrieved 2026-05-17

Methodology #

Determine whether an admin-callable `mint` on a protocol token has no supply cap or an unlimited maximum supply.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol axelar factor RD-F-042 score yellow collected_at 2026-05-16 21:57:49