Revolution Protocol - 0xlemon's results

Lines of code

https://github.com/code-423n4/2023-12-revolutionprotocol/blob/main/packages/revolution/src/ERC20TokenEmitter.sol#L152-L230

Vulnerability details

Summary

There is leftover ether that will be stuck forever in the ERC20TokenEmitter. This is a result of executing the buyToken function and sending ether as msg.value.

Vulnerability Details

ERC20TokenEmitter::buyToken function is used to buy erc20 votes tokens. If the owner of the contract has set a payment for the creator from setCreatorRateBps function, then there will be ether stuck if the direct payment entropyRateBps is not set to 100%. This happens because when a user sends value to the contract, a small portion of this value is reserved for the builder, purchaseReferral and deployer. Another portion is transferred to the DAO in exchange for minting the user vote tokens, then we have a direct payment for the creator and finally instead of tranferring the creator's left payment, we mint him vote tokens. The problem is exactly in the last step because we mint erc20 tokens for the creator but the value that this erc20 tokens correspond to is left in the contract with no actual way to withdraw it.

Proof of Concept

Here is a test showcasing the issue: Add this test in 2023-12-revolutionprotocol\packages\revolution\test\token-emitter\ERC20TokenEmitter.t.sol and add the console at the top like that: import { Test, console } from "forge-std/Test.sol"; To run this test: forge test --match-contract testStuckEtherAfterBuyToken -vvv (make sure you are in the 2023-12-revolutionprotocol/packages/revolution directory)

function testStuckEtherAfterBuyToken() public {
    address creatorAddress = makeAddr("creatorAddress");

    address owner = erc20TokenEmitter.owner();
    vm.startPrank(owner);
    erc20TokenEmitter.setCreatorsAddress(creatorAddress);
    erc20TokenEmitter.setCreatorRateBps(1000); // set the creator rate to be 10%
    erc20TokenEmitter.setEntropyRateBps(500); // 5% direct payment
    vm.stopPrank();

    address user = makeAddr("someUser");
    vm.deal(user, 10 ether);

    address[] memory recipients = new address[](1);
    recipients[0] = address(1);

    uint256[] memory bps = new uint256[](1);
    bps[0] = 10_000;

    vm.startPrank(user);
    erc20TokenEmitter.buyToken{ value: 10 ether}(
        recipients,
        bps,
        IERC20TokenEmitter.ProtocolRewardAddresses({
            builder: address(0),
            purchaseReferral: address(0),
            deployer: address(0)
        })
    );
    vm.stopPrank();

    console.log(address(erc20TokenEmitter).balance); // 0.9262 ether is left in the contract
    assert(address(erc20TokenEmitter).balance != 0);
}

In this test we see that after executing the buyToken function there is still ether left in the contract that cannot be withdrawn. This happens due to the issue I described above.

Impact

Ether stuck in ERC20TokenEmitter

Tools Used

Manual Review, VS Code, Foundry

Recommended Mitigation Steps

To mitigate this issue I recommend adding a withdraw function in the ERC20TokenEmitter contract to transfer any leftover ether to the treasury/DAO.

Assessed type

ETH-Transfer