I’m using an ERC20 based contract (lets call it Token) to give users tokens that can be redeemed against ERC721 NFTs generated by another contract (lets call it Generator).
The users can call a redeem() function on the ERC20 contract to burn some of their tokens in exchange for NFTs. Once the burn has been performed Token calls a function mint() on Generator that mints the NFTs, transfers them to Token which then transfers them to the user.
To prevent mint() from being called by unauthorized parties, I’ve added a require check that calls can only comme the ERC20 contract’s address.
IERC20 public Token;
[...]
function mint(uint256 _amount) external {
require(msg.sender == address(Token), "Only the token contract can call the mint function");
I am wondering whether that is secure enough or whether it would be possible for the owner of the ERC20 contract, token holders or any other party to spoof msg.sender and directly call that function.