Closed code423n4 closed 1 year ago
berndartmueller marked the issue as duplicate of #143
berndartmueller marked the issue as not a duplicate
berndartmueller marked the issue as duplicate of #66
berndartmueller changed the severity to QA (Quality Assurance)
berndartmueller marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-01-numoen/blob/2ad9a73d793ea23a25a381faadc86ae0c8cb5913/src/core/Lendgine.sol#L105-L120
Vulnerability details
Impact
The burn() function in Lendgine can be called by anybody. This will cause tokens to be sent out to users despite not having to pay any tokens or put up any collateral themselves. The Lendgine contract can thus be completelydrained through the an attacker using burn()
Proof of Concept
When an EOA calls the burn() function:
shares, liqudity and collateral are calculated from balanceOf[address(this)]. address(this) referes to the contents of the Lendgine contract. However there are no checks that the tokens which are being burned should belong to the address that calls the contract.
https://github.com/code-423n4/2023-01-numoen/blob/2ad9a73d793ea23a25a381faadc86ae0c8cb5913/src/core/Lendgine.sol#L108-L110
token1 is transferred to (address to), which an attacker would set to their own address.
https://github.com/code-423n4/2023-01-numoen/blob/2ad9a73d793ea23a25a381faadc86ae0c8cb5913/src/core/Lendgine.sol#L116
Tools Used
Manual Review
Recommended Mitigation Steps
Burn() needs to be an internal function or have checks and access controls ensuring that it can only be called by users who are burning and receiving tokens which they should be entitled to.