code-423n4 / 2024-06-vultisig-findings

2 stars 0 forks source link

M-1 There is no external function `burn()` in the VULT contract #223

Closed howlbot-integration[bot] closed 4 months ago

howlbot-integration[bot] commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/hardhat-vultisig/contracts/Vultisig.sol#L1 https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/hardhat-vultisig/contracts/extensions/VultisigWhitelisted.sol#L1

Vulnerability details

Impact

The documentation says that the token VULT operates on a buy-burn model.

Link to the documentation 1

Link to the documentation 2

But Vultisig.sol and VultisigWhitelisted.sol contracts have no external burn() function. Its only have an internal _burn function that inherits from the ERC20 Openzeppelin contract. Therefore, the functionality specified in the documentation cannot be realized. Since contracts are not upgradeable, the VULT Token contract will have to be re-deployed to add new functionality.

Proof of Concept

None

Tools Used

Manual

Recommended Mitigation Steps

Add external function burn(uint256 amount) with modifier onlyOwner to the contract Vultisig.sol.

Assessed type

Other

c4-judge commented 4 months ago

alex-ppg marked the issue as duplicate of #224

c4-judge commented 4 months ago

alex-ppg marked the issue as satisfactory