Summary

The burnKittyCoin function in the KittyPool contract allows any user to reduce the debt of any account by burning KittyCoin tokens from their own account. This issue arises because the function is public and uses msg.sender for the token burning process while adjusting the debt of _onBehalfOf address, leading to potential unauthorized modifications.

Vulnerability Details

In the burnKittyCoin function:

The function decreases the debt for the specified _onBehalfOf address by subtracting _ameownt from kittyCoinMeownted[_onBehalfOf]. Then It burns the KittyCoin tokens from the caller’s address (msg.sender), which does not necessarily match the _onBehalfOf address.

Since the function is public, any user can call it to:

• Reduce the debt of any arbitrary account (_onBehalfOf).

• Burn tokens from their own account (msg.sender), leading to potential desynchronization and unauthorized debt adjustments.

Impact

The impact of this issue includes:

• Unauthorized Debt Adjustment: Users can manipulate the system to reduce the debt of any account by burning tokens from their own account, which may lead to financial discrepancies and potential exploitation.

• Data Integrity Issues: The mismatch between the debt reduction and token burning can result in inaccurate debt balances and undermine the system's integrity.

Tools Used

Manual Review

Recommendations

To prevent unauthorized access and ensure correct synchronization between debt management and token burning, remove the _onBehalfOf parameter from the burnKittyCoin function. Update the function to operate solely based on the caller address (msg.sender).