onlyBalancer modifier is missing

Summary

onlyBalancer modifier is missing in the USSD.mintRebalancer() and USSD.burnRebalancer() functions

Vulnerability Detail

Anyone can call the USSD.mintRebalancer() and USSD.burnRebalancer() functions and mint or burn any amount of USSD tokens to/from the USSD contract.

Add the following test to ./test/USSDsimulator.test.js:

it('anyone can mint and burn', async () => {
  this.USSD = await deployProxy(USSD, ["US Secured Dollar", "USSD"], { from: accounts[0] });

  expect((await this.USSD.totalSupply()).toString()).to.equal('10000000000'); // 10000 USSD minted

  // mint some amount directly without Rebalancer
  await this.USSD.mintRebalancer('10');
  expect((await this.USSD.totalSupply()).toString()).to.equal('10000000010');

  // burn some amount directly without Rebalancer
  await this.USSD.burnRebalancer('5');
  expect((await this.USSD.totalSupply()).toString()).to.equal('10000000005');
})

Impact

Incorrect calculation of the USSD.totalSupply() and USSD.balanceOf(USSD) (which are used in the USSDRebalancer.rebalance()), price manipulation

Code Snippet

https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/USSD.sol#L200-L202 https://github.com/sherlock-audit/2023-05-USSD/blob/main/ussd-contracts/contracts/USSD.sol#L204-L206

Tool used

Manual Review, Ganache

Recommendation

Add onlyBalancer modifier to the functions

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

060.md

060.md

onlyBalancer modifier is missing

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation

Files

060.md

Latest commit

History

060.md

File metadata and controls

onlyBalancer modifier is missing

Summary

Vulnerability Detail

Impact

Code Snippet

Tool used

Recommendation