Back to circlelooper's contests

Frankencoin - circlelooper's results

A decentralized and fully collateralized stablecoin.

General Information

Platform: Code4rena

Start Date: 12/04/2023

Pot Size: $60,500 USDC

Total HM: 21

Participants: 199

Period: 7 days

Judge: hansfriese

Total Solo HM: 5

Id: 231

League: ETH

Frankencoin

Findings Distribution

Researcher Performance

Rank: 192/199

Findings: 1

Award: $0.07

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryFrankencoin

Findings Information

🌟 Selected for report: decade

Also found by: 0x3b, 0xDACA, 0xWaitress, 0xWeiss, 0xkaju, Arz, Aymen0909, BPZ, EloiManuel, HaCk0, J4de, Jerry0x, Jiamin, John, Juntao, Kek, Lalanda, MiloTruck, Mukund, PNS, RedTiger, Ruhum, Satyam_Sharma, ToonVH, Tricko, Udsen, ak1, anodaram, bin2chen, carrotsmuggler, cccz, circlelooper, deadrxsezzz, giovannidisiena, jasonxiale, joestakey, juancito, karanctf, kenta, kodyvim, ladboy233, lil_eth, lukino, markus_ether, marwen, mrpathfindr, nobody2018, parlayan_yildizlar_takimi, peakbolt, ravikiranweb3, rbserver, rvierdiiev, silviaxyz, volodya, zhuXKET, zzebra83

Awards

0.0748 USDC - $0.07

Labels

bug
2 (Med Risk)
satisfactory
duplicate-941

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/Equity.sol#L309-L316

Vulnerability details

Impact

When there is less than 1000 ZCHF in equity left, qualified shareholders will find it very hard to restructure the system as they cannot wipe mulitiple addresses at a time.

Proof of Concept

The system is at risk when there is less than 1000 ZCHF in equity left (maybe even negative), so qualified FPS shareholders are expected to restructure the system by burning users' tokens. This could be done by restructureCapTable(address[] calldata helpers, address[] calldata addressesToWipe):

    function restructureCapTable(address[] calldata helpers, address[] calldata addressesToWipe) public {
        require(zchf.equity() < MINIMUM_EQUITY);
        checkQualified(msg.sender, helpers);
        for (uint256 i = 0; i<addressesToWipe.length; i++){
            address current = addressesToWipe[0];
            _burn(current, balanceOf(current));
        }
    }

Unfortunately, this functon is not implemented correctly, let's look at this line:

address current = addressesToWipe[0];

Even multiple addresses are provied in addressesToWipe, what the loop iteration does is only to burn the first address's token, while other addresses' token balance remains the same, it basically means that shareholders have to submit as many transactions as the address count they want to wipe, which is very hard to do.

Tools Used

Manual review

Please consider to change the line as below so loop iteration will work as expected:

address current = addressesToWipe[0];

#0 - c4-pre-sort

2023-04-20T14:27:44Z

0xA5DF marked the issue as duplicate of #941

#1 - c4-judge

2023-05-18T14:26:11Z

hansfriese marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter