This repository has been archived by the owner on Mar 3, 2024. It is now read-only.
deth - Clearinghouse.sol#claimDefaulted() - Clearinghouse
doesn't approve the MINTR
to handle tokens in his name, which bricks the entire function.
#176
Labels
Has Duplicates
A valid issue with 1+ other issues describing the same vulnerability
High
A valid High severity issue
Reward
A payout will be made for this issue
Sponsor Confirmed
The sponsor acknowledged this issue is valid
Will Fix
The sponsor confirmed this issue will be fixed
deth
high
Clearinghouse.sol#claimDefaulted() -
Clearinghouse
doesn't approve theMINTR
to handle tokens in his name, which bricks the entire function.Summary
Clearinghouse
doesn't approve theMINTR
to handle tokens in his name, which bricks the entire function.Vulnerability Detail
Inside
claimDefaulted
on the last line we callMINTR.burnOhm
which in turn calls OHM.burnFrom. The docs for MINTR.burnFrom state: "Burn OHM from an address. Must have approval.". We can confirm that this is the case when looking atOHM
source code and it'sburnFrom
. I found 2OHM
tokens that are currently deployed on mainnet, so I'm linking both their addresses: https://etherscan.io/token/0x383518188c0c6d7730d91b2c03a03c837814a899#code, https://etherscan.io/token/0x64aa3364f17a4d01c6f1751fd97c2bd3d7e7f1d5#code. Both addresses use the sameburnFrom
logic and in both cases they require anallowance
. Nowhere in the contract do we approve theMINTR
to handleOHM
tokens in the name ofClearinghouse
, in factOHM
isn't even specified inClearinghouse
.Side note:
The test
testFuzz_claimDefaulted
succeeds, becauseMockOhm
is written incorrectly. WhenburnFrom
gets calledMockOhm
calls the inherited_burn
function, which burns tokens frommsg.sender
. The mock doesn't represent how the realOHM.burnFrom
works.Impact
Claimdefault
will always revert.Code Snippet
https://github.com/sherlock-audit/2023-08-cooler/blob/6d34cd12a2a15d2c92307d44782d6eae1474ab25/Cooler/src/Clearinghouse.sol#L244
Tool used
Manual Review
Recommendation
Add a variable
ohm
which will be theOHM
address and approve the necessary tokens to theMINTR
before callingMINTR.burnOhm
.The text was updated successfully, but these errors were encountered: