Platform: Code4rena
Start Date: 12/04/2023
Pot Size: $60,500 USDC
Total HM: 21
Participants: 199
Period: 7 days
Judge: hansfriese
Total Solo HM: 5
Id: 231
League: ETH
Rank: 51/199
Findings: 2
Award: $115.71
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: cccz
Also found by: DishWasher, KIntern_NA, SolidityATL, ToonVH, giovannidisiena, joestakey, santipu_
93.1122 USDC - $93.11
In equity.sol the team mints 1000 FPS shares for the initial deposit(likely someone from the Frankencoin team). After this initial deposit is made, the team intends to calculate shares in a normal manner using calculateSharesInternal(). In the event where anyone after the first depositer attempts to mint FPS shares when depositing an amount greater than the current equity, they will not receive a fair calculation of shares. They will only receive 1000 FPS tokens. This negatively impacts both the protocol and users. User's with large sums of ZCHF will not receive a fair amount of shares
Manual Review
The recommended mitigation is to enforce the proper shares calculation for the FPS share minter after the first deposit is made.
#0 - c4-pre-sort
2023-04-24T12:54:14Z
0xA5DF marked the issue as duplicate of #983
#1 - c4-pre-sort
2023-04-24T12:54:19Z
0xA5DF marked the issue as low quality report
#2 - 0xA5DF
2023-04-24T12:57:22Z
In the event where anyone after the first depositer attempts to mint FPS shares when depositing an amount greater than the current equity,
Didn't correctly identify the issue, the onTokenTransfer is called after transfer, meaning the amount of the deposit isn't the issue here but the amount of equity in the system beforehand
#3 - c4-judge
2023-05-18T04:59:53Z
hansfriese marked the issue as duplicate of #396
#4 - c4-judge
2023-05-18T05:21:47Z
hansfriese marked the issue as duplicate of #396
#5 - c4-judge
2023-05-18T13:36:16Z
hansfriese marked the issue as satisfactory
🌟 Selected for report: juancito
Also found by: 0xAgro, 0xNorman, 0xSmartContract, 0xStalin, 0xTheC0der, 0xWaitress, 0xhacksmithh, 0xnev, 3dgeville, 8olidity, Arz, Aymen0909, BGSecurity, BRONZEDISC, Bauchibred, Bauer, BenRai, ChainHunters, ChrisTina, CodeFoxInc, DedOhWale, DishWasher, EloiManuel, IceBear, Inspex, Jorgect, Kaysoft, LeoGold, LewisBroadhurst, Madalad, MiloTruck, MohammedRizwan, Nyx, Polaris_tow, RaymondFam, SaharDevep, SanketKogekar, Sathish9098, SolidityATL, Udsen, W0RR1O, aria, ayden, berlin-101, bin2chen, catellatech, codeslide, crc32, decade, descharre, evmboi32, eyexploit, fatherOfBlocks, georgits, giovannidisiena, joestakey, karanctf, kodyvim, ltyu, lukris02, m9800, matrix_0wl, mov, mrpathfindr, nadin, niser93, p0wd3r, parlayan_yildizlar_takimi, pavankv, pontifex, qpzm, ravikiranweb3, rbserver, santipu_, shealtielanz, slvDev, tnevler, wonjun, xmxanuel, yixxas
22.6007 USDC - $22.60
https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/ERC20.sol#L125-L135
This has been a long debated discussion in he Defi space. ultimately it is harmful to allow infinite allowances in your protocol. In the event that an exploit occurs, all of users token funds are at risk as apposed to a limited approved amount. Additionally the recent sushi swap hack would not have been possible if the users had not been able to allow for infinite approvals
https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/MintingHub.sol#L59-L64
https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/ERC20.sol#L125-L135
Manual review
Prevent unlimited approvals for Frankencoin ERC20 tokens. It's best to support the approval-spend flow for atomic transactions rather than allow infinite approvals.
https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Position.sol#L50-L71
The Frankencoin docs state that when opening a position there should be a minimum initial collateral of ~5000 ZCHF. There is no minimum collateral enforced on the contract and it is possible to open a position with zero collateral
https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Position.sol#L50-L71
Manual Review
Enforce a minimum collateral by adding an addition require statement in the constructor of Position.sol or update the docs to mention this value can be zero
https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Position.sol#L50-L71
require(initPeriod >= 3 days); // must be at least three days, recommended to use higher values
When opening a position the docs mention a 7 day initialization period. In the code the minimum accepted initialization period is 3 days.
https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Position.sol#L50-L71
Manual Review
Update the docs to reflect the initial period of 3 days or update the code to match the doc
#0 - 0xA5DF
2023-04-26T19:33:27Z
Dupe of #601 And #242
#1 - c4-pre-sort
2023-04-26T19:33:35Z
0xA5DF marked the issue as high quality report
#2 - c4-judge
2023-05-16T16:28:41Z
hansfriese marked the issue as grade-b