Users can silently burn tokens with transfers to 0x0
ggrieco-tob opened this issue · comments
Severity: Low
Difficulty: Low
Description
The amount of minted tokens is tracked in the BToken
contract by the totalSupply
function. Burning tokens is only possible using an internal operation (called by BPools
). However, the transfer
and transferFrom
methods do not restrict the address destination of address(0x0)
, allowing tokens to effectively be burned without decreasing the totalSupply
variable.
Exploit Scenario
Alice create a pool and uses some off-chain code to manage it. A calculation results in a transfer to the null or empty address of 0x0. As a result, Alice loses her tokens.
Recommendation
Add a require condition in transfer
and transferFrom
that explicitly forbids burning tokens transfer them to 0x0.
Long term, use Echidna and Manticore to check that the BToken
does not allow to easily burn tokens transfer them to 0x0.
Won't fix - no restrictions to 0 addresses will be added to the core protocol