Unchecked Return Value in `usde.burn()` Function Allows Potentially Inconsistent State

[hats-bug-reporter[bot]]

Github username: -- Twitter username: Mr_x_strange Submission hash (on-chain): 0xa60301f0337064239eabafc71043131578fa03b671b6c1d92b67a42bb995e4e9 Severity: medium

Description: Description

• The deposit function in the contract fails to check the return value of the usde.burn() function. Since usde.burn() returns a bool, the code should verify that the burn operation succeeded. Without this check, if usde.burn() fails, the function will continue executing, potentially resulting in an inconsistent state where assets are "burned" but shares are still minted.
• This issue could expose the contract to state inconsistencies or unwanted behavior if usde.burn() encounters an issue during execution.

Attack Scenario\

• This unchecked return value could result in incorrect asset allocations, exposing the contract to potential financial inconsistencies and possibly facilitating attacks that exploit unbalanced contract states.

Steps to Reproduce:

1. Attempt to call deposit() when the usde.burn() function returns false.
2. Observe that shares are still minted to the receiver, despite the burn operation failing.

Expected Behavior:
The deposit function should revert if usde.burn() fails, preventing the continuation of the function and ensuring contract state consistency.

Actual Behavior:
The function continues executing even if usde.burn() fails, potentially leading to inconsistent state or unintended asset allocation.

Recommended Fix:

To prevent this issue, add a require statement to check the return value of usde.burn():

require(usde.burn(msg.sender, assets), "Burn operation failed");

Vulnerable Location: InvestToken.sol#L245 , USDE.sol#L112

 function deposit(uint256 assets, address receiver) public returns (uint256 shares) {
     ...
        usde.burn(msg.sender, assets); //@audit-issue uncheck reuturn value 
        _mint(receiver, shares);

        emit Deposit(msg.sender, receiver, assets, shares);
    }

contract USDE is
  ...
{
..
 function burn(address from, uint256 amount) public onlyRole(BURN_ROLE) returns (bool) { //@audit-issue burn return bool value
        _burn(from, amount);

        return true;
    }
...

}

[AndreiMVP]

Dup of https://github.com/hats-finance/Euro-Dollar-0xa4ccd3b6daa763f729ad59eae75f9cbff7baf2cd/issues/72