Submission Details
Severity:
Owner receives all token when burning
High: All contract tokens transfered to Owner when burning any amount
Description
When burnFaucetTokens is called with any amount the _transfer function sends all tokens from the contract to the owner
function burnFaucetTokens(uint256 amountToBurn) public onlyOwner {
require(amountToBurn <= balanceOf(address(this)), "Faucet Token Balance: Insufficient");
// transfer faucet balance to owner first before burning
// ensures owner has a balance before _burn (owner only function) can be called successfully
_transfer(address(this), msg.sender, balanceOf(address(this))); <@ All tokens are transfered to Owner
_burn(msg.sender, amountToBurn); <@ Burning only the amount supposed to be burned
}
Risk
Likelihood: High
When Owner calls `burnFaucetTokens`
Impact: High
All the tokens from the faucet contract are transfered to the Owner.
Proof of Concept
Scenario:
Owner burns whatevet amount, for the purpose of the test - 1 token.
Result: The token is burned, but all the tokens from the contract are now in the Owner.
function testBurnFaucetTokens() public {
uint256 amountToBurn = 1e18; // 1 token
// verify that the contract have the initial supply
assertEq(raiseBoxFaucet.getFaucetTotalSupply(), INITIAL_SUPPLY_MINTED);
// burn single token
vm.prank(owner);
raiseBoxFaucet.burnFaucetTokens(amountToBurn);
// The tokens in the contract are now 0
assertEq(raiseBoxFaucet.getFaucetTotalSupply(), 0);
// The owner have all the tokens - amountToBurn.
assertEq(raiseBoxFaucet.getBalance(owner),INITIAL_SUPPLY_MINTED - amountToBurn);
}
Recommended Mitigation
Replace the balanceOf(address(this) in the _transfer call with amountToBurn
function burnFaucetTokens(uint256 amountToBurn) public onlyOwner {
require(amountToBurn <= balanceOf(address(this)), "Faucet Token Balance: Insufficient");
// transfer faucet balance to owner first before burning
// ensures owner has a balance before _burn (owner only function) can be called successfully
- _transfer(address(this), msg.sender, balanceOf(address(this)));
+ _transfer(address(this), msg.sender, amountToBurn);
_burn(msg.sender, amountToBurn);
}
Updates
Lead Judging Commences
inallhonesty 15 days ago
Submission Judgement Published Assigned finding tags:
Unnecessary and convoluted logic in burnFaucetTokens
Rewards breakdown
nSLOC
157This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.