Submission Details
Severity:
RaiseBoxFaucet::burnFaucetTokens should not transfer faucet balance to owner before burn
Root + Impact
RaiseBoxFaucet::burnFaucetTokens code breaks one of the core business rules.
Description
One of the limitations states that "owner cannot claimfaucet tokens ", but the actual code allows that (logic error).
The code transfers faucet balance to owner first before burning wich breaks the above business rule. Also, the purpose of "burning" is to reduce total supply and this violates that understanding.
The Impact is breaking of one of the business rules (see code comments below).
// owner cannot claimfaucet tokens
```
function burnFaucetTokens(uint256 amountToBurn) public onlyOwner {
require(amountToBurn <= balanceOf(address(this)), "Faucet Token Balance: Insufficient");
// transfer faucet balance to owner first before burning
// ensures owner has a balance before _burn (owner only function) can be called successfully
_transfer(address(this), msg.sender, balanceOf(address(this))); // <<= wrong owner cannot claimfaucet tokens
_burn(msg.sender, amountToBurn);
}
```
Recommended Mitigation
Remove the transfer call in RaiseBoxFaucet::burnFaucetTokens.
- _transfer(address(this), msg.sender, balanceOf(address(this)));
Updates
Lead Judging Commences
inallhonesty 5 days ago
Submission Judgement Published Assigned finding tags:
Unnecessary and convoluted logic in burnFaucetTokens
Rewards breakdown
nSLOC
157This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.