addToken allows anyone to list a new token on Hermez.
This contradicts the online documentation, which implies that only the governance should have this authorization.
It is unclear whether the implementation or the documentation is correct.
Short term, update either the implementation or the documentation to standardize the authorization specification for adding tokens.
Long term, write a specification of each function and thoroughly test it with unit tests and fuzzing.
Use symbolic execution for arithmetic invariants.
- ToB Audit Hermez Network Finding 21
- Access Control
- Adding New tokens
- Anyone or Governance
- Sync Specification -> Implementation