Closed code423n4 closed 2 years ago
This is correct implementation it transfers the basket to the wrapper and then mints the same amount of token. The burning is the signal to Polygon bridge to enable minting n the root chain. Usually polygon bridge uses burning as a signal to withdraw on one side but our basket already uses burn function on the exitPool and also burning changes ratio of underlying to totalSupply. That is why we wrap and instantly burn this token to not have to burn the real basket.
The sponsor has outlined that token burn events are used to initiate polygon bridge withdrawals on one side. Hence, this issue seems invalid
.
Handle
certora
Vulnerability details
https://github.com/code-423n4/2021-12-amun/blob/main/contracts/bridge/contracts/amunBasketBridge/PolygonERC20Wrapper.sol#L60
the comment says that the function should byrn user shares, but it also mints them. in addition, that function transfers tokens from msg.sender to address(this), but it should be upside down.