The DecentralizedStableCoin
contract, which extends the ERC20Burnable
contract, introduces a vulnerability allowing non-owners to burn tokens. While the burn
function of the contract is protected by the onlyOwner
modifier, the inherited burnFrom
function from the ERC20Burnable
contract remains unprotected.
The vulnerability arises from the fact that the DecentralizedStableCoin
contract is a derivative of the ERC20Burnable
contract, which includes the burnFrom
function. The burnFrom
function permits a user to burn tokens from any account for which they have approval. However, in the DecentralizedStableCoin
contract, the intention seems to be to only allow the owner to burn tokens. This discrepancy opens the door for an exploit.
In the provided POC, it is demonstrated that a non-owner can burn tokens from an account for which they have approval.
This vulnerability could allow an attacker to burn tokens from any account, given that they have approval. Depending on the application's context and token's usage it can result potential disruption of the token's economics.
Manual revision
The issue can be mitigated by adding an additional modifier on the burnFrom
function, ensuring only the owner can execute it. Or perhaps a better solution is to avoid exteding ERC20Burneable
and just use ERC20
.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.