search

code-423n4 / 2021-12-yetifinance-findings

0 stars 0 forks source link

`ERC20_8.sol` `totalSupply` should be increased on `mint` and decreased on `burn` #259

Open code423n4 opened 2 years ago

code423n4 commented 2 years ago

Handle

WatchPug

Vulnerability details

https://github.com/code-423n4/2021-12-yetifinance/blob/5f5bf61209b722ba568623d8446111b1ea5cb61c/packages/contracts/contracts/AssetWrappers/WJLP/ERC20_8.sol#L128-L144

// ------------------------------------------------------------------------
// Mint new tokens to a given _to address
// ------------------------------------------------------------------------
function _mint(address _to, uint _num_tokens) internal returns (bool success) {
    balances[_to] = balances[_to] + _num_tokens;
    emit Transfer(address(0), _to, _num_tokens);
    return true;
}

// ------------------------------------------------------------------------
// Burn tokens owned by _holder
// ------------------------------------------------------------------------
function _burn(address _holder, uint _num_tokens) internal returns (bool success) {
    balances[_holder] = balances[_holder].sub(_num_tokens);
    emit Transfer(_holder, address(0), _num_tokens);
    return true;
}

totalSupply is one of the essential view methods of an ERC20 contract. When tokens get mint and burn, it is supposed to update the totalSupply.

The current implementation does provide a totalSupply() view function, but the storage variable _totalSupply will never be updated.

kingyetifinance commented 2 years ago

Duplicate #128

alcueca commented 2 years ago

Taking as main

alcueca commented 2 years ago

Assets are not a risk, code is incorrect as to spec. Low severity.