Platform: Code4rena
Start Date: 12/04/2023
Pot Size: $60,500 USDC
Total HM: 21
Participants: 199
Period: 7 days
Judge: hansfriese
Total Solo HM: 5
Id: 231
League: ETH
Rank: 96/199
Findings: 1
Award: $28.28
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Josiah
Also found by: 0xDACA, Diana, Emmanuel, Kumpa, Nyx, RaymondFam, Ruhum, __141345__, bin2chen, carlitox477, lil_eth, nobody2018, rbserver
28.2764 USDC - $28.28
https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Position.sol#L100
Wrong value is returned for function reduceLimitForClone().
As per the natspec comment, reduceLimitForClone() should return the limit for the clone which is calculated as limit -= reduction + _minimum;, however the function wrongly returns the value reduction + _minimum
Due to this, when clonePosition() would be executed in MintingHub.sol, the wrong value will be set for limit at MintingHub.sol#L126:
uint256 limit = existing.reduceLimitForClone(_initialMint);
As per the natspec comment at Position.sol#L95, the function should return limit for the clone, which is calculated at Position.sol#L99
limit -= reduction + _minimum;
The new limit value should now be:
limit = limit - reduction + _minimum
However, the function wrongly returns the value of reduction + _minimum instead of limit at Position.sol#L100
return reduction + _minimum;
Due to this, when clonePosition() would be executed in MintingHub.sol#L126, the wrong value will be set for limit:
uint256 limit = existing.reduceLimitForClone(_initialMint);
Manual review
function reduceLimitForClone(uint256 _minimum) external noChallenge noCooldown alive onlyHub returns (uint256) { uint256 reduction = (limit - minted - _minimum)/2; // this will fail with an underflow if minimum is too high limit -= reduction + _minimum; - return reduction + _minimum; + return limit; }
#0 - c4-pre-sort
2023-04-24T19:55:33Z
0xA5DF marked the issue as duplicate of #932
#1 - c4-judge
2023-05-18T13:58:21Z
hansfriese marked the issue as satisfactory