Foundry DeFi Stablecoin CodeHawks Audit Contest

Cyfrin

DeFiFoundry

15,000 USDC

View results

Previous Next

Submission Details

Severity: medium

`Decentralized StableCoin.burn` architecture is inconsistent

0xsmartcontract

Summary

The burn function in the DecentralizedStableCoin contract can only burn tokens from its own address, but it must burn the token at the desired address

Vulnerability Details

DecentralizedStableCoin.burn architecture is inconsistent

In the DecentralizedStableCoin contract, there are mint and burn functions. In the mint transaction, onlyOwner can mint as many tokens as he wants to the address he wants, while in the burn function he only burns the token in his own wallet.

When we examine whether this is an error since it is not specified in the requested architectural documents or NatSpec comments;
The same mint framework of OnlyOwner is expected in the burn function, this is best practice.
In addition, the fact that the token mint to another address cannot be burned will limit the effect of the burn function.

Based on these, it can be said that the architecture of the burn function is inconsistent and faulty.

src/DecentralizedStableCoin.sol:

46: function burn(uint256 _amount) public override onlyOwner {

47: uint256 balance = balanceOf(msg.sender);

48: if (_amount <= 0) {

49: revert DecentralizedStableCoin__MustBeMoreThanZero();

50: }

51: if (balance < _amount) {

52: revert DecentralizedStableCoin__BurnAmountExceedsBalance();

53: }

54: super.burn(_amount);

55: }

Impact

burn architecture strength should be increased

Tools Used

Manuel Code review

Recommendations

src/DecentralizedStableCoin.sol:

- 46: function burn(uint256 _amount) public override onlyOwner {

+ 46: function burn(uint256 _amount, address account) public override onlyOwner {

- 47: uint256 balance = balanceOf(msg.sender);

48: if (_amount <= 0) {

49: revert DecentralizedStableCoin__MustBeMoreThanZero();

50: }

- 51: if (balance < _amount) {

- 52: revert DecentralizedStableCoin__BurnAmountExceedsBalance();

- 53: }

- 54: super.burn(_amount);

+ 54: super.burnFrom(uint256 _amount, address account);

55: }

Prize pool breakdown

Total prize

15,000 USDC

nSLOC

236

64 USDC / LOC

High Medium

14,000 USDC

Low

1,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.