Open hats-bug-reporter[bot] opened 7 months ago
Github username: @rodiontr Twitter username: -- Submission hash (on-chain): 0x7da0d041897fc9a62d2a521d150b4d3fde69b69e5d9d0a988e064577a9c40441 Severity: high
Description: Description\
The contract doesn't make sure it has permission to burn tokens and checks only if it's able to mint them.
Attack Scenario\
In the lib.rs, when adding new pair, it checks whether MOST has permission to mint in this line:
lib.rs
https://github.com/Cardinal-Cryptography/most/blob/70ab234cc3322fda82784413f5e0704907a0e1fe/azero/contracts/most/lib.rs#L671-672
let psp22_address: AccountId = from.into(); let psp22: ink::contract_ref!(Mintable) = psp22_address.into();
However, it's instead should make sure that it can burn the from token as it's burnt on the source chain initially:
from
https://github.com/Cardinal-Cryptography/most/blob/70ab234cc3322fda82784413f5e0704907a0e1fe/azero/contracts/most/lib.rs#L316
self.burn_from(src_token_address.into(), sender, amount)?;
Attachments
Provided above.
Recommendation
Change the check to:
let psp22_address: AccountId = from.into(); let psp22: ink::contract_ref!(Burnable) = psp22_address.into();
Invalid submission: A PoC is required for submission to be considered valid. You can create a new submission that contains a working PoC.
Github username: @rodiontr Twitter username: -- Submission hash (on-chain): 0x7da0d041897fc9a62d2a521d150b4d3fde69b69e5d9d0a988e064577a9c40441 Severity: high
Description: Description\
The contract doesn't make sure it has permission to burn tokens and checks only if it's able to mint them.
Attack Scenario\
In the
lib.rs
, when adding new pair, it checks whether MOST has permission to mint in this line:https://github.com/Cardinal-Cryptography/most/blob/70ab234cc3322fda82784413f5e0704907a0e1fe/azero/contracts/most/lib.rs#L671-672
However, it's instead should make sure that it can burn the
from
token as it's burnt on the source chain initially:https://github.com/Cardinal-Cryptography/most/blob/70ab234cc3322fda82784413f5e0704907a0e1fe/azero/contracts/most/lib.rs#L316
Attachments
Provided above.
Recommendation
Change the check to: