Back to Lalanda's contests

Frankencoin - Lalanda's results

A decentralized and fully collateralized stablecoin.

General Information

Platform: Code4rena

Start Date: 12/04/2023

Pot Size: $60,500 USDC

Total HM: 21

Participants: 199

Period: 7 days

Judge: hansfriese

Total Solo HM: 5

Id: 231

League: ETH

Frankencoin

Findings Distribution

Researcher Performance

Rank: 194/199

Findings: 1

Award: $0.07

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryFrankencoin

Findings Information

🌟 Selected for report: decade

Also found by: 0x3b, 0xDACA, 0xWaitress, 0xWeiss, 0xkaju, Arz, Aymen0909, BPZ, EloiManuel, HaCk0, J4de, Jerry0x, Jiamin, John, Juntao, Kek, Lalanda, MiloTruck, Mukund, PNS, RedTiger, Ruhum, Satyam_Sharma, ToonVH, Tricko, Udsen, ak1, anodaram, bin2chen, carrotsmuggler, cccz, circlelooper, deadrxsezzz, giovannidisiena, jasonxiale, joestakey, juancito, karanctf, kenta, kodyvim, ladboy233, lil_eth, lukino, markus_ether, marwen, mrpathfindr, nobody2018, parlayan_yildizlar_takimi, peakbolt, ravikiranweb3, rbserver, rvierdiiev, silviaxyz, volodya, zhuXKET, zzebra83

Awards

0.0748 USDC - $0.07

Labels

bug
2 (Med Risk)
satisfactory
duplicate-941

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Equity.sol#L313

Vulnerability details

Impact

In the case of a devastating loss in equity, qualified FPS holders are able to restructure and restart the system. The function restructureCapTable is used in that case, to wipe all FPS shares of all addresses provided in the addressesToWipe array. The function however will only wipe the FPS shares of the first position of the array. The function will not fail, and the caller could believe all addresses provided were wiped, process with the donation of ZCHF shares to the detriment of himself and benefit of the accounts not wiped on the restructureCapTable function.

function restructureCapTable(address[] calldata helpers, address[] calldata addressesToWipe) public {
    require(zchf.equity() < MINIMUM_EQUITY);
    checkQualified(msg.sender, helpers);
    for (uint256 i = 0; i<addressesToWipe.length; i++){
        address current = addressesToWipe[0]; // @audit-issue only the balance of the first address is burned
        _burn(current, balanceOf(current)); 
    }
}

Proof of Concept

After a loss in equity most have lost hope in the Frankencoin system except for Alice still believes in it and is willing to provide ZCHF to save it. Alice is donating ZCHF to the minter reserve but does not want to share it with the other FPS holders. Alice calls the restructureCapTable function to burn the shares of all other FPS holders for the possibility to bootstrap the system again owning 100% of all FPS shares.

  1. Alice calls the restructureCapTable function with the parameter array addressesToWipe containing all other FPS holders addresses with FPS shares to burn.
  2. Alice can now donate ZCHF for the possibility to bootstrap the system again owning 100% of all FPS shares.
  3. restructureCapTable only deleted the first address on the array, so Alice will lose the ZCHF donated in step 2 with the other FPS holders.

Change the following line:

@@ -310,7 +310,7 @@ contract Equity is ERC20PermitLight, MathUtil, IReserve {
        require(zchf.equity() < MINIMUM_EQUITY);
        checkQualified(msg.sender, helpers);
        for (uint256 i = 0; i<addressesToWipe.length; i++){
-            address current = addressesToWipe[0];
+            address current = addressesToWipe[i];
            _burn(current, balanceOf(current));
        }
    }

#0 - c4-pre-sort

2023-04-20T14:27:00Z

0xA5DF marked the issue as duplicate of #941

#1 - c4-judge

2023-05-18T14:25:30Z

hansfriese marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter