Frankencoin - 0xkaju's results

Lines of code

https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Equity.sol#L309 https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Equity.sol#L313

Vulnerability details

Impact

The function takes addresses list and perform burning operation addressesToWipe.length times. While iterating through the addressesToWipe.length within a for loop, it inadvertently burns tokens from the address at the 0 index during each iteration.

Proof of Concept

1- Send three distinct valid helpers and addressesToWipe addresses as input. 2- Given that addressesToWipe.length is 3, the for loop will execute three times. 3- During the first execution of the _burn function, the entire balance of the address at the zero index is burned. 4- In the second execution of the _burn function, the balance of the address at the zero index is burned again. However, the balance is now zero, as it was already burned in the previous step. 5- Repeat step 4 for the third execution. 6- The function is successfully completed without reverting.

Tools Used

Manually

Recommended Mitigation Steps

To ensure the intended behavior of burning tokens in order within the entire list of addresses, line 313 should be modified as follows:

address current = addressesToWipe[i];

This change will ensure that the function iterates through and burns the tokens for each address in the list.