code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-03-rolla/blob/main/quant-protocol/contracts/options/CollateralToken.sol#L120-L135

Vulnerability details

Impact

    function burnCollateralToken(
        address owner,
        uint256 collateralTokenId,
        uint256 amount
    ) external override {
        require(
            quantConfig.hasRole(
                quantConfig.quantRoles("COLLATERAL_BURNER_ROLE"),
                msg.sender
            ),
            "CollateralToken: Only a collateral burner can burn CollateralTokens"
        );
        _burn(owner, collateralTokenId, amount);

        emit CollateralTokenBurned(owner, collateralTokenId, amount);
    }

Using the burnCollateralToken() and burnCollateralTokenBatch() functions of CollateralToken, an address with COLLATERAL_BURNER_ROLE can burn an arbitrary amount of tokens from any address.

We believe this is unnecessary and poses a serious centralization risk.

Proof of Concept

https://github.com/code-423n4/2022-03-rolla/blob/main/quant-protocol/contracts/options/CollateralToken.sol#L120-L135 https://github.com/code-423n4/2022-03-rolla/blob/main/quant-protocol/contracts/options/CollateralToken.sol#L163-L184

Tools Used

None

Recommended Mitigation Steps

Update burnCollateralToken and burnCollateralTokenBatch function for only owner can burn his tokens.

quantizations commented 2 years ago

Duplicate of #12 - centralized role structure

alcueca commented 2 years ago

Grouping with #12

code-423n4 / 2022-03-rolla-findings