Platform: Code4rena
Start Date: 09/12/2022
Pot Size: $36,500 USDC
Total HM: 9
Participants: 69
Period: 3 days
Judge: Picodes
Total Solo HM: 2
Id: 190
League: ETH
Rank: 47/69
Findings: 1
Award: $28.12
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xSmartContract
Also found by: 0Kage, 0x52, 0xAgro, 0xNazgul, 0xTraub, 0xhacksmithh, Awesome, Aymen0909, Bnke0x0, Englave, Janio, Mukund, Parth, RaymondFam, Rolezn, SmartSek, Tointer, UdarTeam, Udsen, Zarf, caventa, chaduke, csanuragjain, deliriusz, gz627, idkwhatimdoing, izhelyazkov, joestakey, neumo, obront, oyc_109, rvierdiiev, shark, trustindistrust, wait, yongskiws
28.124 USDC - $28.12
User can burn their tokens outside of the redeem function and trap collateral
function burn(uint256 amount) public virtual { _burn(_msgSender(), amount); }
LongShortToken inherits from OZ's ERC20Burnable. This contains a method that allows users to burn their own tokens. Token burned like this won't be able to claim the underlying collateral in the contract and will leave it trapped there permanently.
Manual Review
In LongShortToken, override the burn methods to only allow the PrePOMarket to burn tokens:
function burn(uint256 amount) public override onlyOwner { _burn(_msgSender(), amount); } function burnFrom(address account, uint256 amount) public override onlyOwner { _spendAllowance(account, _msgSender(), amount); _burn(account, amount); }
#0 - Picodes
2022-12-17T10:19:28Z
Downgrading to QA as the same thing can happen if someone transfers LongShortToken to address(0) or any wrong address
#1 - c4-judge
2022-12-17T10:19:34Z
Picodes changed the severity to QA (Quality Assurance)
#2 - c4-judge
2022-12-19T13:45:44Z
Picodes marked the issue as grade-b
#3 - c4-sponsor
2022-12-22T10:50:40Z
davidprepo marked the issue as sponsor disputed
#4 - ghost
2022-12-22T10:50:51Z
If a user wants to cast their tokens into the void, that's their prerogative