Magic Banana Puppy
High
Anyone can burn Stablecoin tokens with burnFrom function inherited of ERC20PermitUpgradeable contract.
In the StableCoin contract, the burn function is onlyRole and is used by the contract, which is the owner of StableCoin contract.
Check Line of code: https://github.com/sherlock-audit/2024-11-telcoin/blob/main/telcoin-audit/contracts/stablecoin/Stablecoin.sol#L106
From the code above , the onlyRole modifier can be bypassed, which means that anyone can burn tokens without permission.
The tokens can be burned with burnFrom function bypassing the onlyRole modifier of the burn functions. The impact of this bug is that it allows for unauthorized burning of tokens
Manual Review
Block the burnFrom function of ERC20PermitUpgradeable contract to prevent the vulnerability.
``
-
error DecentralizedStableCoin__BlockFunction();
-
function burnFrom(address, uint256) public pure override {
-
revert StableCoin__BlockFunction(); -
}
``