search

code-423n4 / 2024-06-vultisig-validation

2 stars 0 forks source link

M-1 There is no external function `burn()` in the VULT contract #418

Closed c4-bot-9 closed 3 months ago

c4-bot-9 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/hardhat-vultisig/contracts/Vultisig.sol#L1 https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/hardhat-vultisig/contracts/extensions/VultisigWhitelisted.sol#L1

Vulnerability details

Impact

The documentation says that the token VULT operates on a buy-burn model.

Link to the documentation 1

Link to the documentation 2

But Vultisig.sol and VultisigWhitelisted.sol contracts have no external burn() function. Its only have an internal _burn function that inherits from the ERC20 Openzeppelin contract. Therefore, the functionality specified in the documentation cannot be realized. Since contracts are not upgradeable, the VULT Token contract will have to be re-deployed to add new functionality.

Proof of Concept

None

Tools Used

Manual

Recommended Mitigation Steps

Add external function burn(uint256 amount) with modifier onlyOwner to the contract Vultisig.sol.

Assessed type

Other

alex-ppg commented 3 months ago

The finding has been migrated here as issue #223.