search

code-423n4 / 2023-01-drips-findings

0 stars 2 forks source link

NftDriver exposes burn function which can be used by mistake in order to remove access to your collectable amount inside DripsHub #113

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-01-drips/blob/main/src/NFTDriver.sol#L244-L246

Vulnerability details

Impact

NftDriver exposes burn function which can be used by mistake in order to remove access to your collectable amount inside DripsHub

Proof of Concept

NftDriver contract has public burn method which allows you to burn your nft. https://github.com/code-423n4/2023-01-drips/blob/main/src/NFTDriver.sol#L244-L246

    function burn(uint256 tokenId) public override whenNotPaused {
        super.burn(tokenId);
    }

Users can call this by mistake and once they did that, they lose their access to DripsHub account, that was handled by that nft and as result they lose all their current and future collectable funds.

Tools Used

VsCode

Recommended Mitigation Steps

Remove that function, looks like it's not needed.

GalloDaSballo commented 1 year ago

QA at best, you'd burn your own token

GalloDaSballo commented 1 year ago

L

c4-judge commented 1 year ago

GalloDaSballo changed the severity to QA (Quality Assurance)

GalloDaSballo commented 1 year ago

3L in total, close but not sufficient

c4-judge commented 1 year ago

GalloDaSballo marked the issue as grade-c