defirisk.co
rubric v1.7.0

Admin has mint() with unlimited max

Lombard Finance's assessment for RD-F-042 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

MINTER_ROLE on StakedLBTC/NativeLBTC has no contract-enforced supply cap (no maxSupply variable). Minting requires MINTER_ROLE + valid cryptographic proof from Consortium (10-of-15) + Bascule co-signature. A compromised MINTER_ROLE alone cannot mint without corresponding Consortium+Bascule proof, providing operational but not contract-level cap.

Sources #

  • URL
    https://docs.lombard.finance/technical-documentation/protocol-architecture/lbtc-designretrieved 2026-05-05
  • Etherscan
    https://etherscan.io/address/0x072072317469ebb6c340a47e41561c9c3b782bd9#coderetrieved 2026-05-05

Methodology #

Determine whether an admin-callable `mint` on a protocol token has no supply cap or an unlimited maximum supply.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol lombard factor RD-F-042 score yellow collected_at 2026-05-05 12:03:08