Submission Details
Severity:
Flawed And Operator DOSes minting and burning of Debt token
Description
While the overriden _update() function in DebtToken prevent debt transfers, but it also prevents debt minting and burning. Because the && operator is used instead of ||.
As a result, the code requires both from and to to be zero_address. On the other hand either one of them is zero_address while minting or burning operations.
// https://github.com/Cyfrin/2025-02-raac/blob/main/contracts/core/tokens/DebtToken.sol#L256-L259
function _update(address from, address to, uint256 amount) internal virtual override {
if (from != address(0) && to != address(0)) {
revert TransfersNotAllowed(); // Only allow minting and burning
}
...
}
Recommendations
function _update(address from, address to, uint256 amount) internal virtual override {
- if (from != address(0) && to != address(0)) {
+ if (from != address(0) || to != address(0)) {
revert TransfersNotAllowed(); // Only allow minting and burning
}
Prize pool breakdown
Total prize
77,280 USDC
nSLOC
3,86420
USDC / LOC
74,000
3,280
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.