Calm Sandstone Shell
High
The burnStableTokens function is susceptible to attacks when dealing with untrusted or malicious tokens. Specifically, the function’s reliance on safeTransferFrom and safeBurn allows a malicious token contract to exploit these methods, potentially causing reentrancy attacks or enabling fake burn behaviors. These issues arise because of the lack of validation for the token address, allowing any token contract with a compatible interface to interact with burnStableTokens without restriction. https://github.com/sherlock-audit/2024-10-mento-update/blob/main/mento-core/contracts/swap/Broker.sol#L187-L191
The lack of validation or control over the token parameter.
- Reentrancy Vulnerability: safeTransferFrom or safeBurn could call back into Broker due to custom logic in the token contract, causing reentrancy issues.
- Fake Burn Behavior: Malicious tokens may implement a burn function that does not correctly reduce the token balance, allowing repeated and unintended calls to burnStableTokens.
- Unintended Transfer Logic: Custom or manipulated safeTransferFrom and safeBurn functions could lead to unverified token transfers, draining funds from either the contract or the user.
- msg.sender must call burnStableTokens with a valid token and amount parameter.
- The ERC-20 token contract for token must implement safeTransferFrom and burn (either directly or via safeBurn), but the contract does not verify whether these methods are standard or have safe behaviors.
- The token contract may have custom implementations for safeTransferFrom and safeBurn, which can include:
- Callback functions that invoke reentrancy paths.
- Non-standard behaviors that don’t deduct tokens as expected.
- The user’s wallet has sufficient balance and approval set up for the contract to execute safeTransferFrom.
A malicious token contract overrides safeTransferFrom or safeBurn with a callback function that re-enters Broker, potentially leading to unexpected behaviors, state manipulation, or draining of funds.
A malicious token contract implements a burn function that doesn’t actually reduce the contract’s token balance, allowing the attacker to call burnStableTokens multiple times without ever reducing the total token balance, thereby allowing a “free burn” for fake tokens.
By overriding safeTransferFrom, a malicious token could transfer funds unexpectedly (e.g., from other addresses), potentially draining user accounts or creating imbalances.
No response
No response
Implement checks to verify successful balance reductions after a burn, ensuring the contract’s balance is reduced as expected. Use standard libraries like OpenZeppelin's SafeERC20 to wrap ERC-20 calls, which includes additional checks and ensures safe execution. Add a nonReentrant modifier to burnStableTokens to prevent reentrancy attacks.