Bug Report: ERC6909Claims Contract
Contract Name: ERC6909Claims
Severity: HIGH
Bug Type: Unprotected Burn Functionality
Description:
The _burnFrom function in the ERC6909Claims contract is vulnerable to unauthorized token burning. When the sender is not the owner of the tokens (from != sender), the contract checks if the sender is an operator or has sufficient allowance. However, if the sender has unlimited allowance (senderAllowance == type(uint256).max), the contract does not decrement the allowance, allowing the sender to burn tokens without actually having the necessary allowance.
Impact:
An attacker can exploit this vulnerability to burn tokens from another user's account without their consent, as long as they have unlimited allowance. This can lead to unintended and unauthorized token burning, potentially resulting in significant financial losses.
Recommendation:
To fix this vulnerability, the contract should be modified to handle the case where the sender has unlimited allowance. Specifically, the allowance should be decremented even if it is type(uint256).max. This can be achieved by changing the if condition to always decrement the allowance when burning tokens.
Code Fix:
function _burnFrom(address from, uint256 id, uint256 amount) internal {
address sender = msg.sender;
if (from != sender && !isOperator[from][sender]) {
uint256 senderAllowance = allowance[from][sender][id];
allowance[from][sender][id] = senderAllowance - amount;
require(senderAllowance >= amount, "ERC6909Claims: insufficient allowance");
}
_burn(from, id, amount);
}Additional Recommendations:
- Consider adding input validation and sanity checks to the
_burnFrom function to prevent unintended behavior.
- Review the contract's overall security and functionality to ensure that it aligns with the intended use case and does not introduce any other vulnerabilities.
Conclusion:
The ERC6909Claims contract contains a HIGH-severity vulnerability that can be exploited to burn tokens without authorization. The recommended code fix and additional recommendations should be implemented to ensure the contract's security and functionality.
RECOMMENDATION: Immediate patch required. Bug Bounty Payout Address (ERC20): 0xe744f6791a685b0A0cC316ED44375B69361c837F
Bug Report: ERC6909Claims Contract
Contract Name: ERC6909Claims
Severity: HIGH
Bug Type: Unprotected Burn Functionality
Description:
The
_burnFromfunction in the ERC6909Claims contract is vulnerable to unauthorized token burning. When the sender is not the owner of the tokens (from != sender), the contract checks if the sender is an operator or has sufficient allowance. However, if the sender has unlimited allowance (senderAllowance == type(uint256).max), the contract does not decrement the allowance, allowing the sender to burn tokens without actually having the necessary allowance.Impact:
An attacker can exploit this vulnerability to burn tokens from another user's account without their consent, as long as they have unlimited allowance. This can lead to unintended and unauthorized token burning, potentially resulting in significant financial losses.
Recommendation:
To fix this vulnerability, the contract should be modified to handle the case where the sender has unlimited allowance. Specifically, the allowance should be decremented even if it is
type(uint256).max. This can be achieved by changing theifcondition to always decrement the allowance when burning tokens.Code Fix:
Additional Recommendations:
_burnFromfunction to prevent unintended behavior.Conclusion:
The ERC6909Claims contract contains a HIGH-severity vulnerability that can be exploited to burn tokens without authorization. The recommended code fix and additional recommendations should be implemented to ensure the contract's security and functionality.
RECOMMENDATION: Immediate patch required. Bug Bounty Payout Address (ERC20): 0xe744f6791a685b0A0cC316ED44375B69361c837F