medium

Anyone can burn **DecentralizedStableCoin** tokens with `burnFrom` function

Reward

Total

230.99 USDC

15.00 USDC
15.00 USDC
15.00 USDC
15.00 USDC
Selected
21.00 USDC
15.00 USDC
15.00 USDC
15.00 USDC
15.00 USDC
15.00 USDC
15.00 USDC
15.00 USDC
15.00 USDC
15.00 USDC
Selected Submission

Anyone can burn DecentralizedStableCoin tokens with burnFrom function

Severity

Medium Risk

Summary

Anyone can burn DSC tokens with burnFrom function inherited of OZ ERC20Burnable contract

Vulnerability Details

In the DecentralizedStableCoin contract the burn function is onlyOwner and is used by DSCEngine contract, which is the owner of DecentralizedStableCoin contract

Impact

The tokens can be burned with burnFrom function bypassing the onlyOwner modifier of the burn functions

Recommendations

Block the burnFrom function of OZ ERC20Burnable contract

@@ -40,6 +40,7 @@ contract DecentralizedStableCoin is ERC20Burnable, Ownable {
     error DecentralizedStableCoin__MustBeMoreThanZero();
     error DecentralizedStableCoin__BurnAmountExceedsBalance();
     error DecentralizedStableCoin__NotZeroAddress();
+    error DecentralizedStableCoin__BlockFunction();

     constructor() ERC20("DecentralizedStableCoin", "DSC") {}

@@ -54,6 +55,10 @@ contract DecentralizedStableCoin is ERC20Burnable, Ownable {
         super.burn(_amount);
     }

+    function burnFrom(address, uint256) public pure override {
+        revert DecentralizedStableCoin__BlockFunction();
+    }
+
     function mint(address _to, uint256 _amount) external onlyOwner returns (bool) {
         if (_to == address(0)) {
             revert DecentralizedStableCoin__NotZeroAddress();