This repository has been archived by the owner on Nov 26, 2023. It is now read-only.
ravikiran.web3 - Minting and Burning are exposed as public function in USSD contract, there is no restriction #23
Comments
github-actions
bot
added
High
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
ravikiran.web3
high
Minting and Burning are exposed as public function in USSD contract, there is no restriction
Summary
mintRebalance and burnRebalancer are exposed as public function which means any one can call these functions and create an imbalance between the supply of USSD and Collateral. This will impact the rebalancing logic and net value of USSD against the dai value.
Vulnerability Detail
mint and burn should be operated by the rebalancer which evaluates the USSD against the collateral and decide on whether to add supply or remove supply.
But, since these functions are exposed as public, the USSD token value can be manipulated by any one.
Impact
USSD value can be easily manipulated.
Code Snippet
https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/USSD.sol#L204C2-L210
function mintRebalancer(uint256 amount) public override {
_mint(address(this), amount);
}
function burnRebalancer(uint256 amount) public override {
_burn(address(this), amount);
}
Tool used
Manual Review
Recommendation
Attach the onlyBalancer() modifier to both the above functions so that the functions are not availabe to every one, but only to the rebalancer contract.
Duplicate of #777
The text was updated successfully, but these errors were encountered: