Closed code423n4 closed 2 years ago
https://github.com/skalenetwork/ima-c4-audit/blob/11d6a6ae5bf16af552edd75183791375e501915f/contracts/schain/tokens/EthErc20.sol#L64
Using the forceBurn() function of EthErc20, an address with BURNER_ROLE can burn an arbitrary amount of tokens from any address.
forceBurn()
EthErc20
BURNER_ROLE
We believe this is unnecessary and poses a serious centralization risk.
A malicious or compromised BURNER_ROLE address can take advantage of this.
Consider removing the BURNER_ROLE and change forceBurn() function to:
function forceBurn(uint256 amount) external override { _burn(_msgSender(), amount); }
Duplicate of #16, sponsor disputed, see #16
Lines of code
https://github.com/skalenetwork/ima-c4-audit/blob/11d6a6ae5bf16af552edd75183791375e501915f/contracts/schain/tokens/EthErc20.sol#L64
Vulnerability details
Proof of Concept
Using the
forceBurn()
function ofEthErc20
, an address withBURNER_ROLE
can burn an arbitrary amount of tokens from any address.We believe this is unnecessary and poses a serious centralization risk.
A malicious or compromised
BURNER_ROLE
address can take advantage of this.Recommended Mitigation Steps
Consider removing the
BURNER_ROLE
and changeforceBurn()
function to: