Exposed public `burn()` for stablecoins .

[code423n4]

Lines of code

https://github.com/code-423n4/2022-04-jpegd/blob/e72861a9ccb707ced9015166fbded5c97c6991b6/contracts/tokens/StableCoin.sol#L19

Vulnerability details

Impact

User can accidentally burn PUSD tokens.

Proof of Concept

PUSD Coin inherits from ERC20Burnable which according to OZ ` /**

• @dev Extension of {ERC20} that allows token holders to destroy both their own
• tokens and those that they have an allowance for, in a way that can be

• recognized off-chain (via event analysis). */ ` This contact has the exposed function.

  function burn(uint256 amount) public virtual { _burn(_msgSender(), amount); }

I believe that this functionality makes no sense for a stable coin. It is just dangerous and can make users lose their funds.

Tools Used

Manual code review

Recommended Mitigation Steps

Remove the ERC20Burnable.

[spaghettieth]

There's no way a user would call burn without knowing what it does.

[dmvt]

If the user calls burn, they clearly intend to burn their tokens.