Raisebox Faucet
First Flight #50
Beginner FriendlySolidity
100 EXP
View all submissions
Previous Next
Submission Details
Impact: high
Likelihood: medium

`RaiseBoxFaucet:burnFaucetTokens` function may inappropriately transfer the entire contract balance to the administrator.

Author Revealed upon completion

RaiseBoxFaucet:burnFaucetTokens function may inappropriately transfer the entire contract balance to the administrator.

Description

  • Normally, the intention of the burnFaucetTokens function is to "burn a specified amount of tokens".

  • However, the logic semantics of this function are quite confusing: "first transfer the entire balance to the administrator, then burn the specified amount". This does not seem to be a reasonable expectation.

  • This inappropriate logic will result in whenever the administrator performs a burn operation, regardless of the specified amount, the entire balance of the protocol will be removed.

  • Moreover, transferring to the administrator effectively violates the expectation that "the administrator cannot withdraw faucet tokens".

function burnFaucetTokens(uint256 amountToBurn) public onlyOwner {
require(amountToBurn <= balanceOf(address(this)), "Faucet Token Balance: Insufficient");
// transfer faucet balance to owner first before burning
// ensures owner has a balance before _burn (owner only function) can be called successfully
@> _transfer(address(this), msg.sender, balanceOf(address(this)));
_burn(msg.sender, amountToBurn);
}

Risk

Likelihood:

  • Occurs every time a burn operation is performed.

Impact:

  • Directly empties the protocol's token balance, meaning "if the protocol wants to continue distributing tokens in the future, it must remint them, which would be redundant".

Proof of Concept

  • Add the following in RaiseBoxFaucet.t.sol:

function test__burnFaucetTokens() public {
assertTrue(
raiseBoxFaucet.getFaucetTotalSupply() == INITIAL_SUPPLY_MINTED,
"Total supply should be equal to Intial supply minted"
);
vm.prank(owner);
raiseBoxFaucet.burnFaucetTokens(1 * 1e18);
assertTrue(
raiseBoxFaucet.getFaucetTotalSupply() == 0,
"Token Burn: Supply is zero"
);
}

Recommended Mitigation

  • Precisely burn the specified amount of tokens

function burnFaucetTokens(uint256 amountToBurn) public onlyOwner {
require(amountToBurn <= balanceOf(address(this)), "Faucet Token Balance: Insufficient");
- // transfer faucet balance to owner first before burning
- // ensures owner has a balance before _burn (owner only function) can be called successfully
- _transfer(address(this), msg.sender, balanceOf(address(this)));
- _burn(msg.sender, amountToBurn);
+ _burn(address(this), amountToBurn);
}

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.