Platform: Code4rena
Start Date: 14/10/2022
Pot Size: $100,000 USDC
Total HM: 12
Participants: 75
Period: 9 days
Judge: GalloDaSballo
Total Solo HM: 1
Id: 171
League: ETH
Rank: 56/75
Findings: 1
Award: $0.33
🌟 Selected for report: 0
🚀 Solo Findings: 0
0.3268 USDC - $0.33
In LBToken._transfer() balances of _from and _to are stored in temporary variables and after the subtration, addition operation the results are written to storage.
In the second operation since the original balance is used in the addition operation, if from == to the address will have extra tokens in the balance.
So a user can self transfer tokens for id, burn and transfer more than supplied assets from a pair contract
function _transfer( address _from, address _to, uint256 _id, uint256 _amount ) internal virtual { uint256 _fromBalance = _balances[_id][_from]; if (_fromBalance < _amount) revert LBToken__TransferExceedsBalance(_from, _id, _amount); _beforeTokenTransfer(_from, _to, _id, _amount); uint256 _toBalance = _balances[_id][_to]; unchecked { _balances[_id][_from] = _fromBalance - _amount; _balances[_id][_to] = _toBalance + _amount; // @audit } _remove(_from, _id, _fromBalance, _amount); // @audit from==to _add(_to, _id, _toBalance, _amount); }
Manual analysis
Add condition to prevent transfer between same addresses
#0 - trust1995
2022-10-23T20:46:08Z
Dup of #441
#1 - GalloDaSballo
2022-10-26T16:36:17Z
#2 - c4-judge
2022-11-23T18:28:41Z
GalloDaSballo marked the issue as not a duplicate
#3 - c4-judge
2022-11-23T18:29:45Z
GalloDaSballo marked the issue as duplicate of #299
#4 - Simon-Busch
2022-12-05T06:38:38Z
Marked this issue as Satisfactory as requested by @GalloDaSballo