Council members will claim 0 telcoin tokens as tokenid burn mechanism is wrong.
Summary
When a tokenid is burned, the tokenid is not replaced properly with the last tokenid (balances array) that leads to claim no telcoin tokens to some council members.
Vulnerability Detail
Let assume 10 tokenid(council members) are minted. Every (0 to 5) tokenid’s balance is 50e18 and every (6 to 9) tokenid’s balance is 100e18.
Now GOVERNANCE_COUNCIL_ROLE wants to burn tokenid 4, so GOVERNANCE_COUNCIL_ROLE calls the function burn with param tokenid 4.
See the burn function, uint256 balance = balances[9] = 100e18; balances[4] = 100(balance of tokenid 4 is updated to 100 and this is not replaced with last one); balances.pop() will remove tokenid 9 and then tokenid 4 is burned.
Tokenid 9 owner call the claim function to claim telcoin tokens but this will revert (see claim function) as balances[tokenId] = 0(as there is no tokenindex/tokenid 9 in balances array, so default value is 0); so balances[tokenId] -= amount i.e (0 - amount) = underflow ,which ledas to revert.
almurhasan
high
Council members will claim 0 telcoin tokens as tokenid burn mechanism is wrong.
Summary
When a tokenid is burned, the tokenid is not replaced properly with the last tokenid (balances array) that leads to claim no telcoin tokens to some council members.
Vulnerability Detail
Impact
Council member can’t claim the telcoin tokens.
Code Snippet
https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L219
Tool used
Manual Review
Recommendation
Replace the burning tokenid properly with the last tokenid.
Duplicate of #199