function burnCollateralToken(
address owner,
uint256 collateralTokenId,
uint256 amount
) external override {
require(
quantConfig.hasRole(
quantConfig.quantRoles("COLLATERAL_BURNER_ROLE"),
msg.sender
),
"CollateralToken: Only a collateral burner can burn CollateralTokens"
);
_burn(owner, collateralTokenId, amount);
emit CollateralTokenBurned(owner, collateralTokenId, amount);
}
Using the burnCollateralToken() and burnCollateralTokenBatch() functions of CollateralToken, an address with COLLATERAL_BURNER_ROLE can burn an arbitrary amount of tokens from any address.
We believe this is unnecessary and poses a serious centralization risk.
Lines of code
https://github.com/code-423n4/2022-03-rolla/blob/main/quant-protocol/contracts/options/CollateralToken.sol#L120-L135
Vulnerability details
Impact
Using the burnCollateralToken() and burnCollateralTokenBatch() functions of CollateralToken, an address with COLLATERAL_BURNER_ROLE can burn an arbitrary amount of tokens from any address.
We believe this is unnecessary and poses a serious centralization risk.
Proof of Concept
https://github.com/code-423n4/2022-03-rolla/blob/main/quant-protocol/contracts/options/CollateralToken.sol#L120-L135 https://github.com/code-423n4/2022-03-rolla/blob/main/quant-protocol/contracts/options/CollateralToken.sol#L163-L184
Tools Used
None
Recommended Mitigation Steps
Update burnCollateralToken and burnCollateralTokenBatch function for only owner can burn his tokens.