Closed code423n4 closed 2 years ago
LP Token minter
is set as the pool on creation. The minter
cannot be changed. The pool only exposes one way of the LP Token being burned, which is through the secure redeem
function. We don't believe there to be any risk in this being abused.
Lines of code
https://github.com/code-423n4/2022-04-backd/blob/c856714a50437cb33240a5964b63687c9876275b/backd/contracts/LpToken.sol#L67
Vulnerability details
Proof of Concept
Using the
burn(address owner, uint256 burnAmount)
function ofLpToken
, the minter user can burn an arbitrary amount of tokens from any address.We believe this is unnecessary and poses a serious centralization risk.
A malicious or compromised minter address can take advantage of this.
Recommended Mitigation Steps
Consider removing the method
function burn(address owner, uint256 burnAmount)