search

code-423n4 / 2024-06-vultisig-findings

2 stars 0 forks source link

Internal _burn() function is not exposed externally in the Vultisig.sol contract #222

Closed howlbot-integration[bot] closed 4 months ago

howlbot-integration[bot] commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/hardhat-vultisig/contracts/Vultisig.sol#L11

Vulnerability details

Summary

Root cause: According to the documentation, the Vultisig token is expected to be Burnable. This is not true currently since the internal ERC20 _burn() function is not exposed externally through another wrapped external/public function.

Impact: According to the documentation, the token is expected to have a "Value Accrual" model in the Vultisig system, which as stated is termed as the buy-burn model.

From the docs:

All affiliate, router, and bridge fees accumulated from platform usage will be used to buy and burn the asset.

Through the buy and burn-burn model, the token automatically increases in value the more the app is used to swap and bridge.

As we can see, due to the missing burn functionality, the Vultisig token would fail to increase in value due to the supply not decreasing. This hampers the economic model/value of the token and fails to meet its expected value accrual design in the ecosystem.

Tools Used

Manual Review

Recommended Mitigation Steps

Expose the internal _burn() function using a wrapper external/public function. Ensure that the msg.sender can burn his tokens only.

Assessed type

Error

c4-judge commented 4 months ago

alex-ppg marked the issue as duplicate of #224

c4-judge commented 4 months ago

alex-ppg marked the issue as satisfactory