Closed code423n4 closed 2 years ago
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/tokens/StableCoin.sol#L19
User can accidentally burn PUSD tokens.
PUSD Coin inherits from ERC20Burnable which according to OZ ` /**
recognized off-chain (via event analysis). */ ` This contact has the exposed function.
function burn(uint256 amount) public virtual { _burn(_msgSender(), amount); }
I believe that this functionality makes no sense for a stable coin. It is just dangerous and can make users lose their funds.
Manual code review
Remove the ERC20Burnable.
There's no way a user would call burn without knowing what it does.
burn
If the user calls burn, they clearly intend to burn their tokens.
Lines of code
https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/tokens/StableCoin.sol#L19
Vulnerability details
Impact
User can accidentally burn PUSD tokens.
Proof of Concept
PUSD Coin inherits from ERC20Burnable which according to OZ ` /**
recognized off-chain (via event analysis). */ ` This contact has the exposed function.
function burn(uint256 amount) public virtual { _burn(_msgSender(), amount); }
I believe that this functionality makes no sense for a stable coin. It is just dangerous and can make users lose their funds.
Tools Used
Manual code review
Recommended Mitigation Steps
Remove the ERC20Burnable.