You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Sep 17, 2023. It is now read-only.
sherlock-admin opened this issue
Mar 13, 2023
· 0 comments
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
TAU doesn't decrease vault's mint amount when tokens are burned
Summary
The TAU contract keeps track of the number of tokens that are minted to enforce a limit. But, when tokens are burned the value is not decreased.
Vulnerability Detail
Whenever new TAU is minted, the amount is added to currentMinted. For every mint, the contract verifies that currentMinted + amount < mintLimit. When TAU is burned, it's supposed to reduce the caller's currentMinted. But, the contract compares the caller's currentMinted with the value of the account whose TAU is burned. Meaning, it compares the vault's value with that of the end user.
function _decreaseCurrentMinted(address account, uint256 amount) internal virtual {
// If the burner is a vault, subtract burnt TAU from its currentMinted.
// This has a few highly unimportant edge cases which can generally be rectified by increasing the relevant vault's mintLimit.
uint256 accountMinted = currentMinted[account];
if (accountMinted >= amount) {
currentMinted[msg.sender] = accountMinted - amount;
}
}
The end user is not granted the permission to mint any TAU themselves. Thus, their currentMinted will always be 0. Meaning the check accountMinted >= amount is 0 >= X, which will always evaluate to false (we never burn 0 tokens; if we do, that doesn't decrease currentMinted either).
Impact
The vault's currentMinted is never decreased causing the vault to reach its limit which will stop users from taking out new loans.
function _decreaseCurrentMinted(address account, uint256 amount) internal virtual {
// If the burner is a vault, subtract burnt TAU from its currentMinted.
// This has a few highly unimportant edge cases which can generally be rectified by increasing the relevant vault's mintLimit.
uint256 accountMinted = currentMinted[msg.sender];
if (accountMinted >= amount) {
currentMinted[msg.sender] = accountMinted - amount;
}
}
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
DuplicateA valid issue that is a duplicate of an issue with `Has Duplicates` labelMediumA valid Medium severity issueRewardA payout will be made for this issue
Ruhum
medium
TAU doesn't decrease vault's mint amount when tokens are burned
Summary
The TAU contract keeps track of the number of tokens that are minted to enforce a limit. But, when tokens are burned the value is not decreased.
Vulnerability Detail
Whenever new TAU is minted, the amount is added to
currentMinted
. For every mint, the contract verifies thatcurrentMinted + amount < mintLimit
. When TAU is burned, it's supposed to reduce the caller'scurrentMinted
. But, the contract compares the caller'scurrentMinted
with the value of the account whose TAU is burned. Meaning, it compares the vault's value with that of the end user.The end user is not granted the permission to mint any TAU themselves. Thus, their
currentMinted
will always be0
. Meaning the checkaccountMinted >= amount
is0 >= X
, which will always evaluate to false (we never burn 0 tokens; if we do, that doesn't decreasecurrentMinted
either).Impact
The vault's
currentMinted
is never decreased causing the vault to reach its limit which will stop users from taking out new loans.Code Snippet
https://github.com/sherlock-audit/2023-03-taurus/blob/main/taurus-contracts/contracts/TAU.sol#L60-L83
Tool used
Manual Review
Recommendation
Change
_decreaseCurrentMinted()
to:Duplicate of #149
The text was updated successfully, but these errors were encountered: