Platform: Code4rena
Start Date: 12/04/2023
Pot Size: $60,500 USDC
Total HM: 21
Participants: 199
Period: 7 days
Judge: hansfriese
Total Solo HM: 5
Id: 231
League: ETH
Rank: 136/199
Findings: 1
Award: $22.60
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: juancito
Also found by: 0xAgro, 0xNorman, 0xSmartContract, 0xStalin, 0xTheC0der, 0xWaitress, 0xhacksmithh, 0xnev, 3dgeville, 8olidity, Arz, Aymen0909, BGSecurity, BRONZEDISC, Bauchibred, Bauer, BenRai, ChainHunters, ChrisTina, CodeFoxInc, DedOhWale, DishWasher, EloiManuel, IceBear, Inspex, Jorgect, Kaysoft, LeoGold, LewisBroadhurst, Madalad, MiloTruck, MohammedRizwan, Nyx, Polaris_tow, RaymondFam, SaharDevep, SanketKogekar, Sathish9098, SolidityATL, Udsen, W0RR1O, aria, ayden, berlin-101, bin2chen, catellatech, codeslide, crc32, decade, descharre, evmboi32, eyexploit, fatherOfBlocks, georgits, giovannidisiena, joestakey, karanctf, kodyvim, ltyu, lukris02, m9800, matrix_0wl, mov, mrpathfindr, nadin, niser93, p0wd3r, parlayan_yildizlar_takimi, pavankv, pontifex, qpzm, ravikiranweb3, rbserver, santipu_, shealtielanz, slvDev, tnevler, wonjun, xmxanuel, yixxas
22.6007 USDC - $22.60
A suggested minter can be denied as long as block.timestamp <= minters[_minter] accordring to the denyMinter() method of the Frankencoin contract.
However, a suggested minter can already act as an accepted minter as soon as block.timestamp >= minters[_minter] according to the isMinter() method of the Frankencoin contract.
Therefore, we have an overlap at block.timestamp == minters[_minter]. Although it's unlikely that this edge case ever occurs, it's still something that needs to be fixed.
Following scenario: There is an open position with a perfectly valid but heavily centralized collateral token and the cooldown period has already expired, i.e. the owner of the position can mint ZCHF and cannot be denied anymore. However, the collateral token is secretly compromised by an attacker who also happens to be the owner of the position.
The attacker having full control over the collateral token might stop transfers which makes it impossible to challenge the position due to the transferFrom() call in the launchChallenge() method of the MintingHub contract.
Moreover, the attacker might mint additional collateral to the position.
Consequently, there is nothing that can stop the attacker (owner of the position) from minting ZCHF until the limit (specified at construction of position) is reached or the position expires naturally (see alive modifier of mint() method).
In conclusion, the impact is absolutely critical and leads to severe loss of funds, but the attack path is highly hypothetical, therefore I decided to submit this as low severity. Anyways, it's technically possible to exploit this attack vector and I suggest to discuss how to handle broken / compromised collateral tokens after the cooldown period.
#0 - 0xA5DF
2023-04-27T09:05:48Z
#2 is dupe of #589
#1 - c4-pre-sort
2023-04-27T09:06:27Z
0xA5DF marked the issue as high quality report
#2 - luziusmeisser
2023-04-30T15:20:14Z
The first one is also a duplicate from another report.
#3 - luziusmeisser
2023-04-30T15:25:26Z
The second one is invalid, see my comment there. I still choose "confirm" as the first one is valid (although of very low severity) and being addressed.
#4 - c4-sponsor
2023-04-30T15:25:33Z
luziusmeisser marked the issue as sponsor confirmed
#5 - c4-judge
2023-05-18T05:54:14Z
hansfriese marked the issue as grade-b