Platform: Code4rena
Start Date: 12/04/2023
Pot Size: $60,500 USDC
Total HM: 21
Participants: 199
Period: 7 days
Judge: hansfriese
Total Solo HM: 5
Id: 231
League: ETH
Rank: 53/199
Findings: 3
Award: $97.17
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Lirios
Also found by: 0xDACA, 117l11, BenRai, ChrisTina, Emmanuel, Kumpa, SpicyMeatball, T1MOH, __141345__, bin2chen, bughunter007, cccz, jangle, juancito, nobody2018, said, shalaamum, tallo, vakzz
35.0635 USDC - $35.06
https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/MintingHub.sol#L252-L276 https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/Position.sol#L329-L354 https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/MintingHub.sol#L252-L276
The owner of position can become the challenger of his position and end the challenge within the same block after the open the position to earn unlimited reward. By executing within the same block, the owner could prevent the intervention of other entities such as the voters, other challengers, and bidders.
-To guarantee that there is no intervention of the other bidder, the owner could create a position and set _challengeSeconds to 0.
-After successfully create the position, the owner then launchChallenge within the same block of creation of position and set _collateralAmount of challenger to be equal to collateral amount of position
-After launching the challenge, within the same block, the owner then can end the auction which will pass because challenger.end is equal to block.timestamp of the creation of position and launching of challenge.
-The challenger’s collateral will return to the challenger (the owner) in line 257
-Since challenge.bidder is address zero (because noone bid yet), the recipient is msg.sender (the owner who initiates this function) in line 259. The collateral in the position of owner will then flow to himself. Now all the costs are covered
-Apart from sending collateral back to the owner, the function challenge.position.notifyChallengeSucceeded will produce the volume equal to the size of challenge * price. As in line 347 which will be used to calculate the reward for winning the challenge
-In line 269, because ‘’’efffectiveBidis zero due to no bid,fundsNeeded``` will always be larger which triggers notifyLoss which allows the owner to mint zchf by bypassing minting restriction.
-With this method owner will get his collateral from the position and challenge back as well as the reward of winning challenge.
-Add time restriction on end function to allow some gap for other participants or voters to be involve with the position.
#0 - c4-pre-sort
2023-04-24T08:29:27Z
0xA5DF marked the issue as duplicate of #458
#1 - c4-judge
2023-05-18T14:36:56Z
hansfriese marked the issue as satisfactory
🌟 Selected for report: Josiah
Also found by: 0xDACA, Diana, Emmanuel, Kumpa, Nyx, RaymondFam, Ruhum, __141345__, bin2chen, carlitox477, lil_eth, nobody2018, rbserver
28.2764 USDC - $28.28
Malicious user could keep cloning the targeted position to render the position’s mint function unfunctional by reducing the position’s limit. The attacker then repay and withdraw his collateral to repeat the clone again. The cost of this attack is just gas fee but the impact is that it could disrupt the standard way of obtaining frankenstein by cloning through limiting position’s capacity to mint and capacity to be the host for other to clone and mint.
1.Alice creates a position with limit = 1000 and She already mint = 500
2.Bob maliciously clones Alice’s position just to prevent her from minting more
3.Bob sets _initialMint to be 200 which reduce Alice’s limit to be 650
4.After setting up the clone, Bob repay his minted to withdraw his initial collateral back
5.Bob repeats step 2 to clone another Alice’s position, reducing her limit further until the position is max
-Adding the cost for cloning position so that it could disincentivize this attack from happening.
#0 - c4-pre-sort
2023-04-20T09:48:17Z
0xA5DF marked the issue as duplicate of #932
#1 - c4-judge
2023-05-18T13:56:55Z
hansfriese marked the issue as satisfactory
🌟 Selected for report: peanuts
Also found by: GreedyGoblin, J4de, KIntern_NA, Kumpa, LegendFenGuin, T1MOH, __141345__, deadrxsezzz, deliriusz, ltyu, m9800, rvierdiiev
33.835 USDC - $33.83
https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/MintingHub.sol#L199-L229 https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/Position.sol#L304-L313
The attacker could defer the minting of the position indefinitely by becoming the challenger and the bidder of the position. If the challenge is averted, it will trigger restrictMinting(1 days); which the attacker could abuse forever.
-After launching the challenge, the owner could instantly bid to end his challenge
https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/Position.sol#L304-L313
-If he bids high enough, it will trigger challenge.position.tryAvertChallenge which will enable him to end the challenge and more critically this function also triggers restrictMinting(1 days); in tryAvertChallenge.
-After one day, the attacker could repeat the same attack easily because the cost of this attack is only the gas fee
-Adding the cost of launching challenge so that it could disincentivize this attack from happening.
#0 - c4-pre-sort
2023-04-22T18:51:19Z
0xA5DF marked the issue as duplicate of #745
#1 - c4-judge
2023-05-18T09:27:29Z
hansfriese marked the issue as satisfactory