Then, it assigns the last balance to this same tokenId and pops an array. In the end, it burns the token.
However, burning does not swap the indexes, it just sends this token to the zero (0x0) address. Thus the counselor owning the last token ID will lose their balance, and will not be able to claim it while the burned token will have a dead balance.
Impact
The balance shift when burning the token is incorrect and produces the wrong state. If the burned token is not the last, it gets assigned the wrong balance, and the last token will get an invalid claim. A simple test case showcasing this situation is provided in the code snippet section.
HonorLt
high
Wrong burn logic
Summary
Burning the counselor token does not work as intended and leads to a corrupted state.
Vulnerability Detail
The governance can burn any token on behalf of the owner:
First, it updates and sends all the accumulated balance to the
recipient
:Then, it assigns the last balance to this same
tokenId
and pops an array. In the end, it burns the token. However, burning does not swap the indexes, it just sends this token to the zero (0x0) address. Thus the counselor owning the last token ID will lose their balance, and will not be able to claim it while the burned token will have a dead balance.Impact
The balance shift when burning the token is incorrect and produces the wrong state. If the burned token is not the last, it gets assigned the wrong balance, and the last token will get an invalid claim. A simple test case showcasing this situation is provided in the code snippet section.
Code Snippet
https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L203-L222
A test case when burning the token with a middle index:
Tool used
Manual Review
Recommendation
Do not pop from the balances array, just leave it with 0 amount and move on.
Duplicate of #199