Fjord Token Staking
Fjord
DeFiFoundry
20,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Unrestricted burnFrom function

tpiliposian

Summary

The FjordPoints contract inherits from ERC20Burnable, which includes the burnFrom function. However, this function is not restricted or overridden in the FjordPoints contract, potentially allowing anyone with an allowance to burn tokens from other users’ balances. This could lead to unintended loss of tokens.

Vulnerability Details

The burnFrom function in the ERC20Burnable contract allows users to burn tokens from another account’s balance based on the allowance granted. In the FjordPoints contract, which inherits this functionality, there is no restriction or custom implementation to control or limit the use of burnFrom.

function burnFrom(address account, uint256 value) public virtual {
_spendAllowance(account, _msgSender(), value);
_burn(account, value);
}
import { ERC20 } from "lib/openzeppelin-contracts/contracts/token/ERC20/ERC20.sol";
import { ERC20Burnable } from
"lib/openzeppelin-contracts/contracts/token/ERC20/extensions/ERC20Burnable.sol";
import { SafeMath } from "lib/openzeppelin-contracts/contracts/utils/math/SafeMath.sol";
import { IFjordPoints } from "./interfaces/IFjordPoints.sol";
/**
* @title FjordPoints
* @dev ERC20 token to represent points distributed based on locked tokens in Staking contract.
*/
contract FjordPoints is ERC20, ERC20Burnable, IFjordPoints {
[...]

Impact

Users can potentially burn tokens from other users’ balances if they have been granted an allowance, leading to financial loss for those users.

Tools Used

Manual review.

Recommendations

Override the burnFrom function in the FjordPoints contract to either disable it or restrict its use.

Updates

Lead Judging Commences

inallhonesty Lead Judge
over 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.