Anyone can burn their tokens, locking collateral in contract
DecentralizedStableCoin.sol
has two onlyOwner
functions, burn
and mint
and only DSCEngine
should be able to burn and mint new tokens.
However ERC20Burnable
has another function, burnFrom
which can be used to burn tokens by any account.
Any account can burn tokens from approved addresses, locking collateral in the contract and breaking the assumption of DSCEngine being the only burner of tokens.
Manuel review
Override burnFrom() from ERC20Burnable or don’t use ERC20Burnable and use ERC20 directly instead.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.