search

sherlock-audit / 2024-06-makerdao-endgame-judging

1 stars 1 forks source link

bareli - Anyone can burn anyone token #58

Closed sherlock-admin2 closed 1 month ago

sherlock-admin2 commented 1 month ago

bareli

High

Anyone can burn anyone token

Summary

There is no authentication in the burn function ,anyone can call this function and burn other people tokens.

Vulnerability Detail

function burn(address from, uint256 value) external { uint256 balance = balanceOf[from]; require(balance >= value, "SDAO/insufficient-balance");

    if (from != msg.sender) {
        uint256 allowed = allowance[from][msg.sender];
        if (allowed != type(uint256).max) {
            require(allowed >= value, "SDAO/insufficient-allowance");

            unchecked {
                allowance[from][msg.sender] = allowed - value;
            }
        }
    }

    unchecked {
        // Note: we don't need an underflow check here b/c `balance >= value`
        balanceOf[from] = balance - value;
        // Note: we don't need an underflow check here b/c `totalSupply >= balance >= value`
        totalSupply = totalSupply - value;
    }

    emit Transfer(from, address(0), value);
}

Impact

people token will be lost.

Code Snippet

https://github.com/sherlock-audit/2024-06-makerdao-endgame/blob/main/endgame-toolkit/src/SDAO.sol#L297

Tool used

Manual Review

Recommendation

@>> function burn(address from, uint256 value) external auth {

Duplicate of #13

telome commented 1 month ago

As the code clearly shows, when from != msg.sender, an allowance is required from the from account in order for the burn to succeed.