missing access control in burnRebalancer()

Summary

The burnRebalancer() function in USSD.sol can be called by any user. Anyone can call the function to arbitrarily manipulate the total supply of USSD and the reserved USSD in USSD contract.

Vulnerability Detail

The burnRebalancer() function in USSD.sol can be called by any user

function burnRebalancer(uint256 amount) public override {
    _burn(address(this), amount);
}

Impact

Anyone can call the function to arbitrarily manipulate the total supply of USSD and the reserved USSD in USSD contract, which will affect the price of UUSD. So attacker can exploit this function to gain profit and destroy the exchange rate of USSD

Code Snippet

https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/USSD.sol#L208-L210

function burnRebalancer(uint256 amount) public override {
    _burn(address(this), amount);
}

Tool used

Manual Review

Recommendation

Add onlyBalancer modifier to the function

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

026.md

026.md

missing access control in burnRebalancer()

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation

Files

026.md

Latest commit

History

026.md

File metadata and controls

missing access control in burnRebalancer()

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation