code423n4 commented 2 years ago

Lines of code

https://github.com/code-423n4/2022-07-fractional/blob/8f2697ae727c60c93ea47276f8fa128369abfe51/src/VaultRegistry.sol#L39-L44

Vulnerability details

Impact

It is possible to burn someone's vault tokens.

Exploit Scenario

Let's say Alice and Bob have some vault tokens. For some reason, Bob didn't grab an ice-cream for Alice, therefore Alice wanted to revenge for that. So she decided to burn Bob's vault tokens.

burn() is external, Alice has no problem with invoking that.
info contains info about Alice(has some tokens)
id Alice's id, which is not zero
Alice burned Bob's tokens

Tools Used

Echidna + Manual

stevennevins commented 2 years ago

This isn't possible because Alice would be msg.sender and not in the vaultToToken mapping. The vault address (msg.sender) is the key for each combination of (token address, token id)

HardlyDifficult commented 2 years ago

Agree with sponsor, closing as invalid.

code-423n4 / 2022-07-fractional-findings

It is possible to burn someone's vault tokens #591

Lines of code

Vulnerability details

Impact

Exploit Scenario

Tools Used