sherlock-admin2
commented
5 months ago 1 comment(s) were left on this issue during the judging contest.
takarez commented:
valid because {Also a dupp of 014 with 2 impact but of the same function; so 014 still the best}
r0ck3tz
high
Burn functionality breaks accounting
Summary
The
burnfunction in theCouncilMembercontract is implemented incorrectly, causing a disruption in the usage of the protocol. The balance array items are closely tied to the token identifiers of the contract, but when a token is burned, the balance array becomes corrupted.Vulnerability Detail
The
burnfunction has been implemented incorrectly and is disrupting the accounting. The contract has been designed in a way that ties the identifier of the NFT to the corresponding balance item with the same identifier. The function currently burns the NFT, but instead of appropriately updating the balance, it replaces the balance of that burned NFT with the balance of the last NFT and then removes the last time from the array. Consequently, the last balance is erroneously transferred from the user and assigned to an identifier that cannot be claimed because the corresponding NFT was already burned and the holder of token with the highest identifier looses balance.Scenario:
burnfunction is triggered by targeting a token id1-burn(1, address(0x1234). Because of the implementation the balance with id1is swapped with the balance of the last element, and the last element is popped out from the array:2lost his balance.Impact
Since balances are out of sync with the NFTs identifiers it leads to series of issues:
burnfunction.burnfunction execution one or more users does not accrue balance.totalSupplyreturns the value of the token id that already exists.Code Snippet
Tool used
Manual Review
Recommendation
It is recommended to redesign
burnfunction so it does not break accounting and token identifiers are in sync with the balances.Duplicate of #199