📄

Report #12739

Report Date
October 23, 2022

SOLIDITY INCORRECT ACCESS CONTROL

Report Info

Report ID

#12739

Target

Report type

Smart Contract

Impacts

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Has PoC?

Yes

Bug Description

Access controls define the restrictions around privileges and roles of users in an application. Access control in smart contracts can be related to governance and critical logic like minting tokens, voting on proposals, withdrawing funds, pausing and upgrading the contracts, changing ownership, etc. File 5 of 15: ERC20Burnable.sol We will notice that the burn function is public and hence any user can call the burn function.Line 36-40

Impact

an attacker could purchase any token and then call the public burn function to burn all the tokens on UniSwap, creating inflation and hence increasing the worth of the token and then swapping it for ETH till the pool is exhausted. This could have been prevented if the function had access control implemented like onlyOwner or the function was internal with correct access control logic.

Risk Breakdown

Difficulty to Exploit: Easy Weakness: CVSS2 Score:

Proof of concept

Visit the url and read smart contracts carefully.Scroll down to File 5 of 15: ERC20Burnable.sol We will notice that the burn function is public and hence any user can call the burn function.Line 36-40

BIC Response

This is not a security bug report because it is intended behavior that a user can burn anyone else's tokens as long as the owner of the tokens signed the allowance. A user can also burn any Beans they want, as long as they own the tokens.

Due to these reasons, we are closing the submission and no reward will be issued.

Halborn Response

Of course, you can burn anyone else's tokens as long as that person signed the allowance. Just like transferFrom(). And sure, you can burn any BEAN you want... As long as you own it.