Buner can burn any amount of rsETH from an arbitrary address, and Minter can mint arbitrary rsETH to any account, which may break anything.
Proof of Concept
Although the bot report mentioned C-risk about the minter and burner, we want to bring up the concern that the burner role might not be a necessary feature that has the ability to burn tokens from anyone's account.
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/RSETH.sol#L47 https://github.com/code-423n4/2023-11-kelp/blob/main/src/RSETH.sol#L54
Vulnerability details
Impact
Buner can burn any amount of rsETH from an arbitrary address, and Minter can mint arbitrary rsETH to any account, which may break anything.
Proof of Concept
Although the bot report mentioned C-risk about the minter and burner, we want to bring up the concern that the burner role might not be a necessary feature that has the ability to burn tokens from anyone's account.
Tools Used
Manual, solodit(https://solodit.xyz/issues/m-03-minterburnerrole-can-burn-any-amount-of-yieldy-from-an-arbitrary-address-code4rena-yieldy-yieldy-contest-git)
Recommended Mitigation Steps
Recommend setting limitations on the burning target at least to avoid user loss. For example, only burn with allowance or burn self-balance.
Assessed type
Other