SunSec - Inconsistent parameter with burnFrom & decreaseCurrentMinted

[sherlock-admin]

SunSec

medium

Inconsistent parameter with burnFrom & decreaseCurrentMinted

Summary

Vulnerability Detail

The code is checking if accountMinted is greater than or equal to amount in _decreaseCurrentMinted(), but the subtraction is being performed on currentMinted[msg.sender] instead of currentMinted[account]. This means that the code is subtracting the amount from the currentMinted value of the msg.sender instead of the account that was passed as a parameter to the function.

It is better to make the parameter consistent.

Impact

If misuse it, it will cause accounting error.

Code Snippet

https://github.com/sherlock-audit/2023-03-taurus/blob/main/taurus-contracts/contracts/TAU.sol#L54-L81

    function burn(uint256 amount) public virtual override {
        address account = _msgSender(); //@audit msg.sender
        _burn(account, amount);
        _decreaseCurrentMinted(account, amount);
    }
    function burnFrom(address account, uint256 amount) public virtual override {
        super.burnFrom(account, amount);   //@audit account
        _decreaseCurrentMinted(account, amount);  //@audit account
    }

    function _decreaseCurrentMinted(address account, uint256 amount) internal virtual {
mintLimit.
        uint256 accountMinted = currentMinted[account];  //@audit account - Inconsistent parameter
        if (accountMinted >= amount) {
            currentMinted[msg.sender] = accountMinted - amount;  //@audit msg.sender - Inconsistent parameter
        }

Tool used

Manual Review

Recommendation

To fix this bug, the code should subtract amount from currentMinted[account] instead of currentMinted[msg.sender].

Duplicate of #149