How is ERC20Burnable securing that not everybody can burn tokens?

My Question may be stupid and I don’t expect any security issue here, but how is it working, that not everybody is able to burn somebodies token?

ERC20Burnable offers this function:

function burnFrom(address from, uint256 value) public {
    _burnFrom(from, value);
}

I would expect some Roles for burning-actions, but they are nowhere required.

2 Likes

Hi @oxuw4

ERC20Burnable burnFrom calls ERC20 internal function _burnFrom

    /**
     * @dev See `ERC20._burnFrom`.
     */
    function burnFrom(address account, uint256 amount) public {
        _burnFrom(account, amount);
    }

_burnFrom can only burn an amount of tokens if the caller (msg.sender) has an allowance previously set by the token holder.

    /**
     * @dev Destoys `amount` tokens from `account`.`amount` is then deducted
     * from the caller's allowance.
     *
     * See `_burn` and `_approve`.
     */
    function _burnFrom(address account, uint256 amount) internal {
        _burn(account, amount);
        _approve(account, msg.sender, _allowances[account][msg.sender].sub(amount));
    }

If the caller doesn't have an allowance or the amount isn't within the allowance (allowance set by the token holder), then attempting to decrease the allowance will fail
SafeMath sub with a revert with reason “SafeMath: subtraction overflow”

    /**
     * @dev Returns the subtraction of two unsigned integers, reverting on
     * overflow (when the result is negative).
     *
     * Counterpart to Solidity's `-` operator.
     *
     * Requirements:
     * - Subtraction cannot overflow.
     */
    function sub(uint256 a, uint256 b) internal pure returns (uint256) {
        require(b <= a, "SafeMath: subtraction overflow");
        uint256 c = a - b;

        return c;
    }

Let me know if you need more information.

This is similar to a question regarding transferFrom and allowances, which could be worth having a read of too.

If the user needs to give Allowance for burning tokens, what is the reason to burn them? I ask because I thought that Burning would be something that an Owner (or specific Burnable-role) can burn somebodies tokens in case of accident or abuse

1 Like

Hi @oxuw4

An example use case could be burning tokens when using a smart contract function, as an alternative to transferring the tokens, thus reducing the total supply of tokens.
This could be part of the design of the economics of the token (tokenomics).

A developer could create roles or use Ownable to perform specific functions such as burn of any of the tokens, though there could be concerns regards under what circumstances these functions would be used and who would have control of these.

1 Like

Housekeeping: changed the category to #support:openzeppelin and marked my first reply as the solution