We tested AuditAgents against a vulnerable token contract where any user could mint unlimited tokens due to missing access control.
Access control failures are among the most common and dangerous smart contract vulnerabilities. A single unrestricted administrative function can allow attackers to create tokens, seize ownership, manipulate protocol state, or drain liquidity.
For this benchmark, we created a vulnerable token contract containing an unrestricted mint function and submitted it to AuditAgents without manual hints or modifications.
The following function reproduces the unrestricted minting vulnerability class:
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
contract VulnerableToken {
string public name = "VulnToken";
string public symbol = "VULN";
uint256 public totalSupply;
mapping(address => uint256) public balances;
// ⚠ No access control — any caller can mint unlimited tokens
function mint(address to, uint256 amount) public {
balances[to] += amount;
totalSupply += amount;
}
function transfer(address to, uint256 amount) external {
require(balances[msg.sender] >= amount, "Insufficient balance");
balances[msg.sender] -= amount;
balances[to] += amount;
}
}mint() function lacks any onlyOwner or role-based guard. Any externally owned account can call it, mint arbitrary token quantities to any address, and instantly inflate total supply to collapse token value or drain DEX liquidity pools.
The following issues were identified by AuditAgents without any hints or prior knowledge of the vulnerability:
| Expected Detection | AuditAgents Result |
|---|---|
| Missing Access Control | ✓ PASS |
| Unlimited Minting | ✓ PASS |
| Supply Inflation Risk | ✓ PASS |
| Economic Impact Analysis | ✓ PASS |
| Remediation Guidance | ✓ PASS |
AuditAgents successfully identified the unrestricted minting vulnerability, explained the inflation attack vector, described the economic consequences including DEX liquidity drain, and provided accurate remediation guidance — all without any hints or prior guidance.