search

code-423n4 / 2022-04-backd-findings

6 stars 4 forks source link

Owner can burn arbitrary LpToken #149

Closed code423n4 closed 2 years ago

code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/LpToken.sol#L67

Vulnerability details

Proof of Concept

Using the burn(address owner, uint256 burnAmount) function of LpToken, the minter user can burn an arbitrary amount of tokens from any address.

We believe this is unnecessary and poses a serious centralization risk.

A malicious or compromised minter address can take advantage of this.

Recommended Mitigation Steps

Consider removing the method function burn(address owner, uint256 burnAmount)

chase-manning commented 2 years ago

LP Token minter is set as the pool on creation. The minter cannot be changed. The pool only exposes one way of the LP Token being burned, which is through the secure redeem function. We don't believe there to be any risk in this being abused.