Skip to content

Latest commit

 

History

History
68 lines (48 loc) · 1.67 KB

001.md

File metadata and controls

68 lines (48 loc) · 1.67 KB

Clever Fern Rooster

Medium

contractBurnFrom function miss the onlyCoreContracts modifier

Summary

The burn of the tokens is only reserved to the core contracts:

    function burn(uint256 value) public override onlyCoreContracts {
        super.burn(value);
    }

    function burnFrom(
        address account,
        uint256 value
    ) public override onlyCoreContracts {
        super.burnFrom(account, value);
    }

Any user could bypass this by burning tokens with contractBurnFrom that miss the onlyCoreContracts modifier:

    function contractBurnFrom(
        address owner,
        uint256 amount
    ) public returns (bool) {
        uint256 currentAllowance = contractAllowances[owner][msg.sender];
        if (currentAllowance != type(uint256).max) {
            if (currentAllowance < amount) revert ERC20InsufficientAllowance(msg.sender, currentAllowance, amount);
            _contractApprove(owner, msg.sender, currentAllowance - amount);
            _burn(owner, amount);
            return true;
        } else {
            return false;
        }
    }

Root Cause

Missing access control on the contractBurnFrom function.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

  1. Address A gives x allowance to address B.
  2. Address B call contractBurnFrom to burn x tokens of address A.

Impact

Breaks core contract functionality.

PoC

No response

Mitigation

Add the onlyCoreContracts modifier to the contractBurnFrom function.