Trying to get your head around the difference between ‘mintable tokens’ and ‘mineable tokens’ can be a complicated affair, primarily because there is a lot of slippage in the terminology between the two. Whilst both are essential to the cryptocurrency landscape today, there are profound differences between the two in terms of both utility and design. This in turn has far reaching implications for the kinds of functions they can perform and the security risks they entail. Read on to find out more!
To be clear, both mineable tokens and mintable tokens result in new tokens being produced. The difference is that to mint new tokens through mining requires a lot more time, resources and effort.
As you likely know, both the proof-of-work and proof-of-stake protocols make use of mechanisms that ensure users have a vested interest in upholding the validity of the network. For proof-of-work tokens this investment comes in the form of a significant amount of computational energy being spent on solving complicated equations the fastest in order to submit new transactions and win the block reward.
In proof of stake, the investment comes in the form of users having an existing stake in the network, which then allows them to participate in a randomized lottery where the winner is selected to validate the next block and - you guessed it– win the block reward.
In each, the block reward is set at a fixed number, meaning that it is impossible to manipulate the token supply. Consequently, both processes ensure that the cryptocurrency has a fixed supply and the scarcity of the currency is ensured.
By contrast, mintable tokens do not depend on any underlying consensus mechanism for their supply. Instead they are minted via smart contracts supported by smart contract platforms like Ethereum. As such, they are able to be secured through having a third party conduct a smart contract audit, a rigorous process of peer review that better protects the audited project against attack.
One clear example of the radical potential for mintable tokens are NFTs, the non fungible tokens that have revolutionized multiple industries including the world of art, gaming, and more. By making use of the [ERC721](https://ethereum.org/en/developers/docs/standards/tokens/erc-721/#:~:text=A%20Non%2DFungible%20Token%20(NFT,concerts%20and%20sports%20matches%2C%20etc.). token standard, users are able to mint a near infinite array of things in the same way they would a crypto token, with the important difference that, unlike a token in a crypto currency, NFT’s cannot be replicated. This is of course only practical given that tokens can be minted without the resources needed by mining. Over the last year we have seen an astronomical rise in the number of innovative NFT projects that are changing the space. The good news is that, just like cryptocurrencies, NFT projects can be made more secure with a smart contract audit!
Another of the more prominent uses of mintable tokens has been their use in decentralized exchanges (DEX’s) like Uniswap which use them to incentivize users to provide liquidity to trading pairs by rewarding participants with a native LP token (liquidity pool token) based on the amount they have staked.
For example, if Jeff were to stake his ETH in a liquidity pool that facilitates an ETH-MATIC trading pair, he would be rewarded with the DEX’s native LP tokens on top of a portion of the trading fees by traders who use that liquidity pool to trade. For this to work, the supply of LP tokens cannot be dependent on mining and must therefore be generated as mintable tokens by a smart contract.
However, with such exciting new features come new attack vectors and vulnerabilities for hackers to manipulate and exploit. DEX’s in particular are vulnerable to the notorious flash loan attacks that have plagued many projects over the last year. Many of these vulnerabilities are bound up with the process within the smart contract known as the minting function.
To further understand the nuts and bolts of mintable tokens, we have to understand what a minting function is and the role it plays in controlling the token supply.
At its most basic level, a function is an element of a smart contract’s code that can get information or set information in response to incoming transactions.
Within projects that have mintable tokens, one of these functions is called a ‘minting function’. What does this function do you ask?... That’s right! It mints new tokens! Well done, you are well on your way to becoming a coder. How a minting function is written into a smart contract will determine who is able to access the mint functionality, and how many new tokens they will be able to mint at a time.
Mintable tokens have undoubtedly revolutionized the way blockchains and cryptocurrencies operate, paving the way for countless new use cases and playing a central role in the growth of whole new industries. However, in departing from the rigorously tested system of consensus mechanisms that is key to Bitcoin security and the security of other mining tokens, mintable tokens have opened up a whole new frontier for hackers and bad actors to exploit gaps in crypto security, and have created a new set of vulnerabilities to check for when conducting a smart contract audit and maintaining blockchain security.
Central to this are exploits that target the minting function and attempt to exploit errors and the weaknesses in the code or structure of the smart contract. For example, the infamous Infinite Mint Attack occurs when a hacker is able to mint a huge amount of tokens before dumping them. Such attacks occur when a bad actor gains access to the private key of the smart contract, and can consequently come from outside the project due to poor key management, or from inside the project from the founder. In the latter case, both a smart contract audit and CertiK’s KYC verification service for project teams can help to bolster user confidence in a project by deanonymizing project teams and creating greater accountability through a rigorous vetting process.
Such attacks are a result of what is Achilles Heel of the security of many blockchain projects: centralization risk. Where decentralization is the holy grail of blockchain security, centralization is all too often their downfall. So much so that CertiK’s State of De-Fi Security 2021 report lists “Centralization issues [as] the most common attack vector”.
At the level of code, minting functions have been exploited due to the improper visibility and restriction functions in Solidity - the coding language used by Ethereum. When conducting a smart contract audit, auditors will check to ensure that the project has understood how to use the four basic visibility functions provided by Solidity (Private; External; Internal; Public). This is an essential way of ensuring that a smart contract can only be accessed by people with proper authorization, and protects the minting function from being called by external parties. Similarly, aspects of the code can be written so as to prevent the owner of a smart contract from minting too many codes, and thus helps to protect it against Infinite Mint Attacks from internal parties.
For all these attacks, the most vital step any project can take in ensuring blockchain security is to get a smart contract audit from a third party auditor. A rigorous and professional smart contract audit will ensure that your entire codebase will be examined line by line, and that formal verification techniques will be applied to your smart contracts. However, although a smart contract audit is hugely important, no smart contract audit can guarantee 100% security, and it is therefore important for projects to take a security mindset before the first line of code is even written. Check out this article to see our Top 10 DeFi Security Best Practices where you can learn more about what goes into a CertiK smart contract audit.