Token-0x
First Flight #54
Beginner FriendlyDeFi
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Unchecked Underflow in _burn (Token Minting)

sabahu200

Root + Impact

Description

The _burn function uses the Yul sub opcode to decrease the _totalSupply and the account's balance without first checking if the balance is greater than or equal to the amount being burned.

// ERC20Internals.sol
sstore(supplySlot, sub(supply, value)) // Line 171
// ...
sstore(accountBalanceSlot, sub(accountBalance, value)) // Line 178

Risk

An attacker with a zero balance can call a function that triggers _burn with a positive value. The Yul sub operation will cause the balance to underflow (e.g., 0 - 1 results in 2^256 - 1), effectively granting the attacker the maximum possible token balance. This allows for unauthorized, arbitrary token creation, leading to the complete collapse of the token's economic value.

Proof of Concept

The _burn function uses the Yul sub opcode to decrease the _totalSupply and the account's balance without first checking if the balance is greater than or equal to the amount being burned.

// ERC20Internals.sol
sstore(supplySlot, sub(supply, value)) // Line 171
// ...
sstore(accountBalanceSlot, sub(accountBalance, value)) // Line 178

Recommended Mitigation

// Example fix for account balance check
let accountBalance := sload(accountBalanceSlot)
if lt(accountBalance, value) {
// Revert with ERC20InsufficientBalance error
// ...
}
sstore(accountBalanceSlot, sub(accountBalance, value))
Updates

Lead Judging Commences

gaurangbrdv Lead Judge 19 days ago
Submission Judgement Published
Validated
Assigned finding tags:

overflow & underflow

missing checks for overflow and underflow.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!