ERC20 Token Burn Vulnerability
Description
The burn function allows anyone to burn tokens of other accounts, potentially leading to unauthorized token destruction.
Examples
Insecure Code
solidity
function burn(address account, uint256 amount) public { _burn(account, amount); }Secure Code
solidity
function burn(uint256 amount) public { _burn(msg.sender, amount); }Remediation
Modify the burn function to only allow the token owner to burn their own tokens, for example by using `msg.sender` or `_msgSender()` as the account to burn from.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0099 |
| Category | Crypto |
| Severity | CRITICAL |
| CWE | CWE-284 |
| Confidence | LOW |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | erc20, token burn, access control |
| OWASP | N/A |
References
- https://twitter.com/danielvf/status/1511013322015051797
- https://etherscan.io/address/0xf15ead6acb8ab52a1e335671a48f3a99e991614c