Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ravikiran.web3 - CouncilMember::burn() function is incorrectly implemented #163

Closed
sherlock-admin2 opened this issue Jan 15, 2024 · 1 comment
Closed

ravikiran.web3 - CouncilMember::burn() function is incorrectly implemented #163

sherlock-admin2 opened this issue Jan 15, 2024 · 1 comment
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue

Comments

@sherlock-admin2
Copy link
Contributor

sherlock-admin2 commented Jan 15, 2024
edited by sherlock-admin
Loading

ravikiran.web3

high

CouncilMember::burn() function is incorrectly implemented

Summary

CouncilMember::burn() function is incorrectly implemented as it updates the balance for a token that is being currently burnt.

Vulnerability Detail

In the burn function, the Telcoin balances for all the councilMembers are updated wit retrieve function call. Immediately after that, the TelCoin for the tokenId is withdrawn to the recipient address.

This clears the balances of the tokenId that is being burnt.
So, what is left is to update the balances array by removing the tokenId from the array and then burning the token itself.

Refer to the below code snippet, where the above intention is implemented. Instead of remove the tokenId from the array, the tokenId balance is updated with the balance of the last element in the array.

       _retrieve();
        _withdrawAll(recipient, tokenId);

       @audit ===> uint256 balance = balances[balances.length - 1];
       @audit ===>  balances[tokenId] = balance;
        balances.pop();
        _burn(tokenId);

Impact

Code Snippet

https://github.com/sherlock-audit/2024-01-telcoin/blob/main/telcoin-audit/contracts/sablier/core/CouncilMember.sol#L210-L222

Tool used

Manual Review

Recommendation

using Array is not a good approach here. It is recommended to use map with tokenId -> balance.
This way, deletion will be much more easier and simpler.

Duplicate of #199
@github-actions github-actions bot added High A valid High severity issue Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label labels Jan 19, 2024
@sherlock-admin2
Copy link
Contributor Author

1 comment(s) were left on this issue during the judging contest.

takarez commented:

valid because {its a dupp of 109 but without the impact beign mentioned}

@sherlock-admin sherlock-admin changed the title Dandy Tangelo Mustang - CouncilMember::burn() function is incorrectly implemented ravikiran.web3 - CouncilMember::burn() function is incorrectly implemented Jan 29, 2024
@sherlock-admin sherlock-admin added the Reward A payout will be made for this issue label Jan 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label High A valid High severity issue Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin @sherlock-admin2