Root + Impact

Description

• According to the ERC20 standard, when tokens are burned, the contract must emit a Transfer event from the account to address(0). The _burn function at lines 158-180 should emit Transfer(account, address(0), value) after updating the balance and total supply, similar to how the _transfer function emits Transfer(from, to, value) events. This event emission is required for ERC20 compliance and enables off-chain systems to track token burns.

• ExThe _burn function updates the account balance and total supply but does not emit the required Transfer event. The function performs all state changes correctly but omits the event emission at the end of the assembly block. This breaks ERC20 standard compliance and prevents off-chain systems from detecting burn operations, causing integration failures with wallets, explorers, and protocols that rely on Transfer events to track token destruction.

Risk

Likelihood:

• High - The vulnerability occurs whenever the _burn function is called, which happens during every token burning operation. Since burning is a core functionality of ERC20 tokens and is typically used for token destruction, deflationary mechanisms, or fee collection, this issue affects all burn operations.

• High - The missing event emission happens consistently during burn operations because the function lacks the event emission code entirely. Any contract or protocol that burns tokens using this implementation will fail to emit the required Transfer event, breaking compatibility with standard ERC20 tooling and infrastructure.

Impact:

• High - ERC20 standard non-compliance: The contract fails to meet the ERC20 standard requirement for emitting Transfer events during burning. This breaks compatibility with standard ERC20 interfaces and can cause integration failures with wallets, DEX aggregators, and other DeFi protocols that expect Transfer events for all token operations, including burns.

• Medium - Off-chain tracking and indexing failures: Wallets, block explorers, and indexing services rely on Transfer events to track token balances and transaction history. Without the Transfer event, these systems cannot detect burn operations, leading to incorrect balance displays, missing transaction history, and broken analytics for token holders and protocols.

Proof of Concept

Explanation of the POC

The proof of concept demonstrates that when tokens are burned, no Transfer event is emitted. The test test_burnEventNotEmitted() records all events during a burn operation and verifies that no events are logged, proving the missing Transfer event. The test test_burnMissingTransferEvent() expects a Transfer(account, address(0), 50e18) event but fails because the function doesn't emit it.

Running the POC: Execute forge test --match-contract BurnEventPOC -vvv. The tests will demonstrate that burning tokens does not emit the required Transfer event, breaking ERC20 compliance. The test test_burnEventNotEmitted() passes, confirming no events are emitted during burning.

Explanation of the Mitigation

The fix adds the missing Transfer event emission after updating the balance and total supply. The event is emitted using Yul's log3 opcode with the Transfer event signature hash (0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef), with the account as the from parameter and address(0) as the to parameter. This ensures ERC20 standard compliance and enables off-chain systems to properly track burn operations. After applying the mitigation, the POC tests should pass, confirming that Transfer events are now emitted during burning.

Recommended Mitigation