burn() doesn't call ERC721 _burn()
#111
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Comments
code423n4
added
2 (Med Risk)
Mathepreneur
added
the
sponsor acknowledged
|
If decided not to burn the ERC721 token at all. The burn in this context is burning the debt and collateral locked balance in the ERC721 token. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Handle
sirhashalot
Vulnerability details
Impact
The CollateralizedDebt.sol contract is a ERC721 token. It has a
mint()function, which uses the underlyingsafeMint()function to create an ERC721 token representing a collateral position. Theburn()function in CollateralizedDebt.sol should reverse the actions ofmint()by burning the ERC721 token, but the ERC721_burn()function is never called. This means a user can continue to hold their ERC721 token representing their position after receiving their funds. This is unlike theburn()function found in Bond.sol, Insurance.sol, and Liquidity.sol, which all call the_burn()function (though note the_burn()function in these other Timeswap Convenience contracts is the ERC20_burn()).Proof of Concept
The problematic
burn()function is found in CollareralizedDebt.solhttps://github.com/code-423n4/2022-01-timeswap/blob/bf50d2a8bb93a5571f35f96bd74af54d9c92a210/Timeswap/Timeswap-V1-Convenience/contracts/CollateralizedDebt.sol#L80-L88
Compare this function to the
burn()functions defined in the other Timeswap Convenience contracts, which contain calls to_burn()Recommended Mitigation Steps
Include the following line in the
burn()function_burn(id);The text was updated successfully, but these errors were encountered: