In the burn function of the IndexLogic contract, the user needs to transfer the tokens to the contract first, and then call the burn function to withdraw the assets. The attacker can monitor the number of tokens in the contract. When it is not 0, the attacker can call burn function to burn other users' tokens to transfer assets to himself.
olivermehr
commented
2 years ago
Lines of code
https://github.com/code-423n4/2022-04-phuture/blob/main/contracts/IndexLogic.sol#L97
Vulnerability details
Impact
In the burn function of the IndexLogic contract, the user needs to transfer the tokens to the contract first, and then call the burn function to withdraw the assets. The attacker can monitor the number of tokens in the contract. When it is not 0, the attacker can call burn function to burn other users' tokens to transfer assets to himself.
Proof of Concept
https://github.com/code-423n4/2022-04-phuture/blob/main/contracts/IndexLogic.sol#L97
Tools Used
None
Recommended Mitigation Steps
Call the transferfrom function in the burn function of the IndexLogic contract to transfer the user's tokens