fix(protocol): add access control to BridgedERC20Base.burn (TKO-08 ) (#…

…15566)
taikoxyz · Jan 25, 2024 · 9004b04 · 9004b04
1 parent 5902e38
commit 9004b04
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/packages/protocol/contracts/tokenvault/BridgedERC20Base.sol b/packages/protocol/contracts/tokenvault/BridgedERC20Base.sol
@@ -66,6 +66,7 @@ abstract contract BridgedERC20Base is EssentialContract, IBridgedERC20 {
 
     function burn(address account, uint256 amount) public nonReentrant whenNotPaused {
         if (migratingAddress != address(0) && !migratingInbound) {
+            if (msg.sender != account) revert BB_PERMISSION_DENIED();
             // Outbond migration
             emit MigratedTo(migratingAddress, account, amount);
             // Ask the new bridged token to mint token for the user.

diff --git a/packages/protocol/test/tokenvault/BridgedERC20.t.sol b/packages/protocol/test/tokenvault/BridgedERC20.t.sol
@@ -88,8 +88,22 @@ contract TestBridgedERC20 is TaikoTest {
         vm.expectRevert();
         oldToken.mint(Bob, 10);
 
-        // 2. burning can be done by anyone
+        // 2. burning can NOT be done by anyone
         vm.prank(randAddress());
+        vm.expectRevert();
+        oldToken.burn(Bob, 10);
+
+        // including the owners
+        vm.prank(oldToken.owner());
+        vm.expectRevert();
+        oldToken.burn(Bob, 10);
+
+        vm.prank(newToken.owner());
+        vm.expectRevert();
+        oldToken.burn(Bob, 10);
+
+        // but can be done by the token owner
+        vm.prank(Bob);
         oldToken.burn(Bob, 10);
         assertEq(oldToken.balanceOf(Bob), 90);
         assertEq(newToken.balanceOf(Bob), 210);