Canto Application Specific Dollars and Bonding Curves for 1155s - btk's results

Tokenizable bonding curves using a Stablecoin-as-a-Service token

General Information

Platform: Code4rena

Start Date: 13/11/2023

Pot Size: $24,500 USDC

Total HM: 3

Participants: 120

Period: 4 days

Judge: 0xTheC0der

Id: 306

League: ETH

Canto

Findings Distribution

Researcher Performance

Rank: 75/120

Findings: 1

Award: $4.08

QA:

grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Canto

Findings Information

🌟 Selected for report: chaduke

Also found by: 0xpiken, Bauchibred, Matin, MohammedRizwan, MrPotatoMagic, OMEN, Pheonix, SandNallani, T1MOH, Topmark, ZanyBonzy, adriro, aslanbek, ayden, bareli, bart1e, bin2chen, btk, cheatc0d3, codynhat, critical-or-high, d3e4, erebus, firmanregar, hunter_w3b, jasonxiale, kaveyjoe, ksk2345, lsaudit, max10afternoon, merlinboii, nailkhalimov, osmanozdemir1, peanuts, pep7siup, pontifex, sbaudh6, shenwilly, sl1, tourist, wisdomn_, young, zhaojie

Awards

4.0797 USDC - $4.08

Labels

bug

downgraded by judge

grade-b

QA (Quality Assurance)

duplicate-313

Q-21

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-11-canto/blob/main/asD/src/asDFactory.sol#L33-L39

Vulnerability details

Impact

asD's are created from the asDFactoryvia CREATE1, an attacker can frontrun create to deploy at the same address but with different config. If the deployed chain reorg, a different asD might also be deployed at the same address.

Proof of Concept

    function create(string memory _name, string memory _symbol) external returns (address) {
        asD createdToken = new asD(_name, _symbol, msg.sender, cNote, owner());
        isAsD[address(createdToken)] = true;
        emit CreatedToken(address(createdToken), _symbol, _name, msg.sender);
        return address(createdToken);
    }

A simple scenario to demonstrate the issue:

Bob setup a bot to monitor the mempool when a new asD token is deployed
Bob's bot saw a deployment by a user at 0x76jute98...., fire a tx to mint immediately
Alice frontrun asD deployment by deploying a malicious asD at 0x76jute98....
Bob's transaction ended up into Alice's malicious asD

Tools Used

Manual review

Recommended Mitigation Steps

Use CREATE2 and the asD config as salt.

Assessed type

Other

#0 - c4-pre-sort
2023-11-20T07:47:00Z

minhquanym marked the issue as primary issue

#1 - c4-pre-sort
2023-11-20T07:47:27Z

minhquanym marked the issue as duplicate of #313

#2 - c4-judge
2023-11-29T00:16:48Z

MarioPoneder changed the severity to QA (Quality Assurance)

#3 - c4-judge
2023-11-29T22:30:36Z

MarioPoneder marked the issue as grade-c

#4 - c4-judge
2023-12-04T12:06:22Z

MarioPoneder marked the issue as grade-b

Canto Application Specific Dollars and Bonding Curves for 1155s - btk's results

Tokenizable bonding curves using a Stablecoin-as-a-Service token

General Information

Findings Distribution

Researcher Performance

External Links

[Q-21] QA Report - $4.08

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

A simple scenario to demonstrate the issue:

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-pre-sort2023-11-20T07:47:00Z

#1 - c4-pre-sort2023-11-20T07:47:27Z

#2 - c4-judge2023-11-29T00:16:48Z

#3 - c4-judge2023-11-29T22:30:36Z

#4 - c4-judge2023-12-04T12:06:22Z

#0 - c4-pre-sort
2023-11-20T07:47:00Z

#1 - c4-pre-sort
2023-11-20T07:47:27Z

#2 - c4-judge
2023-11-29T00:16:48Z

#3 - c4-judge
2023-11-29T22:30:36Z

#4 - c4-judge
2023-12-04T12:06:22Z