sherlock-audit / 2024-02-telcoin-platform-audit-update-judging

3 stars 1 forks source link

bigbick123456789000 - BURNER_ROLE can burn an arbitrary amount of tokens from any address. #78

Closed sherlock-admin2 closed 7 months ago

sherlock-admin2 commented 7 months ago

bigbick123456789000

medium

BURNER_ROLE can burn an arbitrary amount of tokens from any address.

Summary

See below

Vulnerability Detail

In the burnFrom function of the contract, any address with the BURNER_ROLE can burn tokens from any other address without sufficient restriction or validation. Here's how the vulnerability is manifested in the code:

function burnFrom(
    address account,
    uint256 value
) public onlyRole(BURNER_ROLE) {
    _spendAllowance(account, _msgSender(), value);
    _burn(account, value);
}

The burnFrom function first checks allowance by calling _spendAllowance to ensure that the msg.sender (the caller) has been approved to spend tokens on behalf of account. Then, it proceeds to burn the specified amount of tokens from the account by calling the internal _burn function.

Impact

The lack of restriction on token burning poses a risk of unauthorized burning of tokens from any address by addresses with the BURNER_ROLE, potentially resulting in loss of tokens and affecting the token economy's integrity.

Code Snippet

#L106-L112

Tool used

Manual Review

Recommendation

Update burnFrom function for only owner can burn his tokens.

sherlock-admin2 commented 7 months ago

1 comment(s) were left on this issue during the judging contest.

WangAudit commented:

the burner is trusted :(