Platform: Code4rena
Start Date: 09/02/2024
Pot Size: $60,500 USDC
Total HM: 17
Participants: 283
Period: 12 days
Judge:
Id: 328
League: ETH
Rank: 25/283
Findings: 2
Award: $246.18
π Selected for report: 0
π Solo Findings: 0
π Selected for report: nuthan2x
Also found by: 0xE1, 0xblackskull, 0xgrbr, 0xvj, Greed, McToady, MidgarAudits, PetarTolev, Sabit, SovaSlava, SpicyMeatball, Timenov, Tychai0s, _eperezok, alexxander, btk, c0pp3rscr3w3r, favelanky, jesjupyter, josephdara, juancito, klau5, kutugu, lil_eth, merlinboii, pynschon, sandy, shaflow2, zaevlad
7.2869 USDC - $7.29
Added minter addresses are permanent and cannot be revoked.
The addMinter function allows new minter addresses to be added, but there is no corresponding function to remove minter addresses. This is a bug because minter addresses cannot be revoked.
Manual review
Add a function that allows owner to remove minter addresses.
Access Control
#0 - c4-pre-sort
2024-02-25T16:09:17Z
raymondfam marked the issue as insufficient quality report
#1 - c4-pre-sort
2024-02-25T16:09:53Z
raymondfam marked the issue as duplicate of #20
#2 - c4-judge
2024-03-05T10:08:55Z
HickupHH3 marked the issue as partial-25
π Selected for report: nuthan2x
Also found by: 0xE1, 0xblackskull, 0xgrbr, 0xvj, Greed, McToady, MidgarAudits, PetarTolev, Sabit, SovaSlava, SpicyMeatball, Timenov, Tychai0s, _eperezok, alexxander, btk, c0pp3rscr3w3r, favelanky, jesjupyter, josephdara, juancito, klau5, kutugu, lil_eth, merlinboii, pynschon, sandy, shaflow2, zaevlad
7.2869 USDC - $7.29
Detailed description of the impact of this finding.
The addStaker function allows new staker addresses to be added.
However, there is no function to remove or revoke a staker address. Once an address is added as a staker, it will remain a valid staker indefinitely.
This is a bug because it means there is no way to remove a staker's privileges if their address is compromised or needs to be revoked for any other reason.
Manual review
Add a function that can revoke added staker addresses.
Access Control
#0 - c4-pre-sort
2024-02-24T06:23:37Z
raymondfam marked the issue as insufficient quality report
#1 - c4-pre-sort
2024-02-24T06:23:54Z
raymondfam marked the issue as duplicate of #20
#2 - c4-judge
2024-03-05T10:03:10Z
HickupHH3 marked the issue as not a duplicate
#3 - c4-judge
2024-03-05T10:04:03Z
HickupHH3 marked the issue as duplicate of #1507
#4 - c4-judge
2024-03-05T10:04:07Z
HickupHH3 marked the issue as partial-25
π Selected for report: nuthan2x
Also found by: 0xE1, 0xblackskull, 0xgrbr, 0xvj, Greed, McToady, MidgarAudits, PetarTolev, Sabit, SovaSlava, SpicyMeatball, Timenov, Tychai0s, _eperezok, alexxander, btk, c0pp3rscr3w3r, favelanky, jesjupyter, josephdara, juancito, klau5, kutugu, lil_eth, merlinboii, pynschon, sandy, shaflow2, zaevlad
7.2869 USDC - $7.29
Detailed description of the impact of this finding.
The addSpender function adds a new address to the spender role.
This gives newSpenderAddress the ability to spend tokens from the contract.
However, there is no corresponding function to revoke or remove a spender address. Once an address is granted spender privileges, those privileges remain indefinitely.
This is a bug because compromised or unauthorized spender addresses cannot have their privileges revoked. The contract should have a revokeSpender function to remove spenders when necessary.
Manual review
Access Control
#0 - c4-pre-sort
2024-02-25T16:10:29Z
raymondfam marked the issue as insufficient quality report
#1 - c4-pre-sort
2024-02-25T16:10:36Z
raymondfam marked the issue as duplicate of #20
#2 - c4-judge
2024-03-05T10:09:07Z
HickupHH3 marked the issue as partial-25
π Selected for report: Timenov
Also found by: 0x11singh99, 0xblackskull, CodeWasp, MidgarAudits, MrPotatoMagic, Rolezn, Sabit, SovaSlava, andywer, btk, josephdara, lil_eth, merlinboii, sobieski, vnavascues
238.8948 USDC - $238.89
Allowed burning addresses cannot be removed
The setAllowedBurningAddresses function is intended to allow the admin to set and update which addresses are allowed to burn tokens. However, there is a logical flaw in the function implementation that prevents removing addresses from the allow list once added.
Specifically, the function only includes logic to add new addresses to the allowedBurningAddresses mapping, by setting their mapping value to true. There is no functionality to later set their value back to false to remove access.
This means any address that is ever set as an allowed burning address can never have that permission revoked, even by the admin. This violates the expected functionality and gives permanent privileged access.
Manual review
Include how to remove an added address from the mapping.
Context
#0 - c4-pre-sort
2024-02-22T19:28:44Z
raymondfam marked the issue as insufficient quality report
#1 - c4-pre-sort
2024-02-22T19:28:52Z
raymondfam marked the issue as duplicate of #47
#2 - c4-judge
2024-03-08T03:29:29Z
HickupHH3 marked the issue as satisfactory