Omniscia Morpho Audit
Token Manual Review Findings
Token Manual Review Findings
TOK-01M: Arbitrary Party Burn Operation
| Type | Severity | Location |
|---|---|---|
| Logical Fault |  | Token.sol:L45-L48 |
Description:
The burn function allows the authorized party to burn units from arbitrary accounts without having received an allowance beforehand.
Impact:
An authorized party can burn the balances of other users, including DeFi exchanges, custodian wallets and more at will which is an undesirable trait.
Example:
src/Token.sol
45// `burn` is added to the external interface, and also `requiresAuth`46function burn(address from, uint256 amount) external requiresAuth {47 _burn(from, amount);48}Recommendation:
We advise approval to be consumed prior to the _burn call via an approve call that should also validate sufficient approval has been provided.
Alleviation:
The burn function in question has now been adjusted to no longer apply authorization and now only allows a caller to burn their own tokens, thereby nullifying this exhibit as it is no longer applicable.