DAFITOKENETH Manual Review Findings

DAF-01M: Potentially Dangerous Evaluation

Description:

The linked evaluation ensures that the _value being burned from a particular account does not exceed its balances, however, in doing so it prevents any burn operation from the owner to malicious users due to the race condition that arises in which the malicious user can transfer all their funds out before the burn operation is executed.

Example:

Copy
55function burn(uint256 _value, address _beneficiary) external onlyOwner {
56    require(_beneficiary != address(0));
57    require(balanceOf(_beneficiary) >= _value, "User does not have sufficient tokens to burn");
58    _totalSupply = _totalSupply - _value;
59    balances[_beneficiary] = balances[_beneficiary] - _value;
60
61    emit Transfer(_beneficiary, address(0), _value);
62}

Recommendation:

We advise this trait of the system to be evaluated and potentially removed. If deemed an internal operation, the race condition does not exist and as such the code can be optimized by performing the subtraction in an unchecked code block.

Alleviation:

The DAFI Protocol team evaluated this exhibit but opted not to apply a remediation for it in the current iteration of the codebase.