`burnFaucetTokens` transfers entire contract balance instead of the requested burn amount
burnFaucetTokens transfers entire contract balance instead of the requested burn amount
Description
burnFaucetTokens currently does:
This transfers the entire faucet contract token balance to owner (not only amountToBurn). Then it burns amountToBurn from owner. The result: owner gets all current faucet tokens even when they intended to burn only amountToBurn, and leftover tokens remain with owner instead of being burned.
Impact: Owner can accidentally (or maliciously) receive the entire faucet balance when burning a smaller amount, changing the token distribution and draining the faucet.
Risk
Likelihood: Medium
Impact: Medium (owner receiving more tokens than intended)
Proof of Concept
Recommended Mitigation
Transfer exactly amountToBurn before burning (or directly call _burn(address(this), amount) if allowed by design and if _burn accepts burning from contract without transferring).
Option A - transfer amountToBurn then burn:
Option B - if you want to burn directly from contract (preferred to avoid transfers):
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.
Rewards Distribution
The contest is complete and the rewards are being distributed.