TWAML weights can be griefed by burning tokens

[hats-bug-reporter[bot]]

Github username: -- Twitter username: -- Submission hash (on-chain): 0x6e5d59738b5cdce0817b3b0119a1830f5a1bb8d1e0912bb1bdb1bf25c3825524 Severity: medium

Description: Description

This is an unfixed vulnerability from the last Code4rena audit. Instead of trying to reword it or describe it again I hope it's sufficient to link to the report that explains the issue well.

Link

Recommendation

Disable the burn function of the OTAP contract and only allow selected contracts such as the TOB contract to call it.

[0xRektora]

Invalid, a fix has already been made. https://github.com/Tapioca-DAO/tap-token/commit/353cf6fed76e9acba33f4f2ab029526368b756ee

[0xRektora]

You might've audited the wrong commit hash codebase. The default branch has been changed to dev to avoid further confusions.