Missed `onlyOwner` modifier for `burnFrom()`
Summary
The contract DecentralizedStableCoin inherits from the ERC20Burnable contract, which has two public burn-related functions: burn() and burnFrom(). The contract overrides the burn() function to restrict access to only the owner via the onlyOwner modifier. However, the burnFrom() function is not similarly overridden, leaving a discrepancy in access control. This discrepancy could potentially allow unauthorized parties to burn tokens directly, bypassing the intended control of the DSCEngine contract.
Vulnerability Details
The contract DecentralizedStableCoin has overridden the burn() function from ERC20Burnable to ensure that only the contract owner can burn tokens:
However, the contract has not overridden the burnFrom() function, which allows an approved account to burn tokens:
This allows any account with an approved allowance to burn tokens directly, bypassing the DSCEngine contract.
Impact
This vulnerability could enable unauthorized burning of tokens, potentially leading to an undesired state of the contract. It might freeze collateralized assets and disrupt the process of liquidation, leading to potential loss of funds or stability of the system.
Tools Used
Manual review
Recommendations
Override the burnFrom() function in DecentralizedStableCoin and add the onlyOwner modifier to ensure consistent access control for burning tokens. This will ensure that only the DSCEngine contract can directly burn tokens.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.