021.md

Best Ceramic Yak

High

Any Caller Can Burn USDa.sol Tokens from Approved Accounts

Summary

The missing onlyCoreContracts modifier in the contractBurnFrom method at USDa.sol:170 will allow any caller to burn tokens from accounts with sufficient allowances, as no checks ensure that the caller is a contract or a specific core contract. This could result in unauthorized token burns and potential token loss for users.

Root Cause

In USDa.sol:170, the contractBurnFrom method lacks the onlyCoreContracts modifier. Without this, there is no validation to check if the caller is an authorized contract or even a smart contract (via isContract).

Internal pre-conditions

1. A user must approve a spender (possibly malicious) using the contractApprove function to allow burning tokens.
2. The approved spender has sufficient allowance to burn tokens on behalf of the user.

External pre-conditions

1. The protocol does not enforce restrictions on which entity can call the contractBurnFrom function.

Attack Path

1. An attacker calls contractApprove to set themselves as a spender for an account.
2. The attacker calls contractBurnFrom with the approved account as the owner and specifies an amount within the approved allowance.
3. Tokens are burned from the owner’s account without additional checks or restrictions.

Impact

The protocol allows any caller to burn tokens from approved accounts, leading to potential token loss for users. An attacker could exploit this by:

• Burning tokens without authorization.
• Depleting the supply of tokens available to legitimate users.

PoC

No response

Mitigation

Add the onlyCoreContracts modifier to the contractBurnFrom function to restrict its usage to authorized core contracts only. Additionally, ensure that a check like isContract verifies that the caller is a smart contract to avoid abuse from EOAs (Externally Owned Accounts).