Token-0x

First Flight #54

Beginner FriendlyDeFi

100 EXP

View all submissions

Previous Next

Submission Details

Impact: high

Likelihood: high

Anyone can burn unowned tokens and mint free tokens.

Author Revealed upon completion

Root + Impact

Description

The internal _burnfunction is incorrectly implemented. It doesn't check that the account that will burn tokens has a balance greater than or equal to the amount of tokens to burn. Because it uses assembly blocks and the subinstruction, an underflow will occur when users burn more tokens than they own. Consequence is that their token balance will be extremely high, potentially type(uint256).max.

function _burn(address account, uint256 value) internal {

assembly ("memory-safe") {

if iszero(account) {

mstore(0x00, shl(224, 0x96c6fd1e))

mstore(add(0x00, 4), 0x00)

revert(0x00, 0x24)

}

let ptr := mload(0x40)

let balanceSlot := _balances.slot

let supplySlot := _totalSupply.slot

let supply := sload(supplySlot)

sstore(supplySlot, sub(supply, value))

mstore(ptr, account)

mstore(add(ptr, 0x20), balanceSlot)

let accountBalanceSlot := keccak256(ptr, 0x40)

let accountBalance := sload(accountBalanceSlot)

// @audit HIGH: no check that account balance is >= value

// @audit underflow allows anyone to burn unowned tokens

> sstore(accountBalanceSlot, sub(accountBalance, value))

}

Risk

Likelihood:

Likelihood is high given that if a token uses this ERC20 implementation and allows the burn feature, anyone will be able to mint free tokens and dump these tokens on DEXs/CEXs.

Impact:

Mint of a huge amount of tokens for free

Proof of Concept

Please copy paste the following test in Token.t.sol file:

function testPoc() public {

address account = makeAddr("account");

uint256 amount = 1;

token.burn(account, amount);

uint256 balance = token.balanceOf(account);

assertEq(balance, type(uint256).max);

}

Recommended Mitigation

Ensure that the _burnfunction checks the balance of the account that will burn token and reverts if there is an attempt to burn more tokens thant the account owns.

Rewards breakdown

nSLOC

222

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!