Submission Details
Severity:
Missing access restriction and authorization in `KittyFi::burnKittyCoin` function
Vulnerability Details: The burnKittyCoin function allows any external account or contract to burn tokens on behalf of any address without proper authorization checks. This lack of access control exposes users balances to potential manipulation and unauthorized depletion.
Impact:
This could result in underflow errors or transaction failures if
_onBehalfOfhas an insufficient balance. It may also lead to inconsistencies in the balance records.An attacker could maliciously burn tokens from someone else's balance, leading to unauthorized depletion of assets.
This could allow meaningless or zero-value transactions, which might be exploited to trigger certain state changes or events without any real transfer of value.
Recommendations: Implement access control.
+ function burnKittyCoin(address _onBehalfOf, uint256 _ameownt) external onlyAuthorized(_onBehalfOf) {
+ require(_ameownt > 0, "Amount must be greater than zero");
+ require(kittyCoinMeownted[_onBehalfOf] >= _ameownt, "Insufficient balance");
kittyCoinMeownted[_onBehalfOf] -= _ameownt;
i_kittyCoin.burn(msg.sender, _ameownt);
}
Rewards breakdown
nSLOC
224This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.