Platform: Code4rena
Start Date: 13/11/2023
Pot Size: $24,500 USDC
Total HM: 3
Participants: 120
Period: 4 days
Judge: 0xTheC0der
Id: 306
League: ETH
Rank: 97/120
Findings: 1
Award: $1.37
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: rvierdiiev
Also found by: 0x175, 0x3b, 0xMango, 0xarno, 0xpiken, Bauchibred, DarkTower, ElCid, Giorgio, HChang26, Kose, KupiaSec, Madalad, PENGUN, Pheonix, RaoulSchaffranek, SpicyMeatball, T1MOH, Tricko, Udsen, Yanchuan, aslanbek, ast3ros, bart1e, bin2chen, chaduke, d3e4, deepkin, developerjordy, glcanvas, inzinko, jasonxiale, jnforja, mahyar, max10afternoon, mojito_auditor, neocrao, nmirchev8, openwide, osmanozdemir1, peanuts, pep7siup, peritoflores, pontifex, rice_cooker, rouhsamad, t0x1c, tnquanghuy0512, turvy_fuzz, twcctop, ustas, vangrim, zhaojie, zhaojohnson
1.3743 USDC - $1.37
https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L150 https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L174 https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L203 https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L226
The Market.sol contract implements four functions which depend on the linear bonding curve to calculate the price and fee amounts associated with their logic execution. These functions are Market.buy, Market.sell, Market.mintNFT and Market.burnNFT.
The issue here is since the users of the above four functions pay price and fee amounts based on the number of outstanding tokens (shareData[_id].tokenCount), delay in execution of any of the above functions could result in users having to pay higher amount of price and fee since the price and fee are linearly increasing as the outstanding token amount increases.
But there is no slippage protection or deadline protection for any of the above four functions. As a result the Market.buy, Market.sell, Market.mintNFT and Market.burnNFT transactions could be delayed and executed at unfavorable price points to the user thus putting the user at a disadvantage since he has to pay more in price and fee to complete the above transactions.
function buy(uint256 _id, uint256 _amount) external {
https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L150
function sell(uint256 _id, uint256 _amount) external {
https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L174
function mintNFT(uint256 _id, uint256 _amount) external {
https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L203
function burnNFT(uint256 _id, uint256 _amount) external {
https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L226
Manual Review and VSCode
Hence it is recommended to implement the slippage and deadline protection to the Market.buy, Market.sell, Market.mintNFT and Market.burnNFT such that the user is given the privilege to decide at what price points he is willing to perform the execution of the transaction and after which point he does not need the transaction to be executed (or to revert). This is more fair approach to take in the best interest of the users.
Other
#0 - c4-pre-sort
2023-11-18T10:43:27Z
minhquanym marked the issue as duplicate of #12
#1 - c4-judge
2023-11-28T23:35:34Z
MarioPoneder marked the issue as satisfactory