Anyone can call DecentralizedStableCoin::burnFrom
as it is not gated by onlyOwner
.
DecentralizedStableCoin
does not override burnFrom
this means that anyone can call the original ERC20Burnable:burnFrom
function which it inherits.
Burning (and minting) must be done only by the project core functionality, the DSCEngine
and it to be done only when collateral is removed or added in order to maintain a calculated, known ballance of collateral vs minted and for internal accounting purposes. Allowing burning by anyone is a severe protocol issue.
Manual review
Override the burnFrom
function from ERC20Burnable
and add the onlyOwner
modifier (plus amount != 0
check) or simply revert on call since it burnFrom
is not used in DSCEngine
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.