search

balancer / balancer-core

Balancer on the EVM
GNU General Public License v3.0
333 stars 168 forks source link

Users can silently burn tokens with transfers to 0x0 #197

Closed ggrieco-tob closed 4 years ago

ggrieco-tob commented 4 years ago

Severity: Low Difficulty: Low

Description

The amount of minted tokens is tracked in the BToken contract by the totalSupply function. Burning tokens is only possible using an internal operation (called by BPools). However, the transfer and transferFrom methods do not restrict the address destination of address(0x0), allowing tokens to effectively be burned without decreasing the totalSupply variable.

Exploit Scenario

Alice create a pool and uses some off-chain code to manage it. A calculation results in a transfer to the null or empty address of 0x0. As a result, Alice loses her tokens.

Recommendation

Add a require condition in transfer and transferFrom that explicitly forbids burning tokens transfer them to 0x0.

Long term, use Echidna and Manticore to check that the BToken does not allow to easily burn tokens transfer them to 0x0.

mikemcdonald commented 4 years ago

Won't fix - no restrictions to 0 addresses will be added to the core protocol