Back to codynhat's contests

Canto Application Specific Dollars and Bonding Curves for 1155s - codynhat's results

Tokenizable bonding curves using a Stablecoin-as-a-Service token

General Information

Platform: Code4rena

Start Date: 13/11/2023

Pot Size: $24,500 USDC

Total HM: 3

Participants: 120

Period: 4 days

Judge: 0xTheC0der

Id: 306

League: ETH

Canto

Findings Distribution

Researcher Performance

Rank: 70/120

Findings: 1

Award: $4.08

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCanto

Findings Information

🌟 Selected for report: chaduke

Also found by: 0xpiken, Bauchibred, Matin, MohammedRizwan, MrPotatoMagic, OMEN, Pheonix, SandNallani, T1MOH, Topmark, ZanyBonzy, adriro, aslanbek, ayden, bareli, bart1e, bin2chen, btk, cheatc0d3, codynhat, critical-or-high, d3e4, erebus, firmanregar, hunter_w3b, jasonxiale, kaveyjoe, ksk2345, lsaudit, max10afternoon, merlinboii, nailkhalimov, osmanozdemir1, peanuts, pep7siup, pontifex, sbaudh6, shenwilly, sl1, tourist, wisdomn_, young, zhaojie

Awards

4.0797 USDC - $4.08

Labels

bug
downgraded by judge
grade-b
QA (Quality Assurance)
sufficient quality report
duplicate-19
Q-39

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L290

Vulnerability details

Impact

In Market.sol, fees are split between the creator of a share, shareholders, and the platform. Due to a rounding issue, the total amount of fees split among these beneficiaries does not always sum to the fee collected. In addition, there is no way to withdraw this extra amount, resulting in the funds being stuck in the contract forever.

https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L290

Proof of Concept

The following is a test case added to Market.t.sol demonstrating funds accumulating.

function testAccumulatingToken() public {
    testCreateNewShare();

    token.mint(alice, 1e18);

    (uint256 outstandingPrices, ) = market.getBuyPrice(1, 10);

    vm.prank(alice);
    token.approve(address(market), 1e18);

    // Buy 10 shares
    token.approve(address(market), 1e18);
    market.buy(1, 10);

    // Everyone claims
    market.claimHolderFee(1);

    market.claimPlatformFee();

    vm.prank(bob);
    market.claimCreatorFee(1);

    for (uint256 i = 0; i < 10; i++) {
        // Alice buys and sells a share, distributing a fee
        vm.prank(alice);
        market.buy(1, 1);

        vm.prank(alice);
        market.sell(1, 1);
        
        // Everyone collects their fees
        vm.prank(alice);
        market.claimHolderFee(1);

        market.claimHolderFee(1);
        market.claimPlatformFee();

        vm.prank(bob);
        market.claimCreatorFee(1);

        // Balance should be == outstandingPrices, but has actually accumulated some tokens
        console.logUint(token.balanceOf(address(market)) - outstandingPrices);
    }

    assertEq(token.balanceOf(address(market)) - outstandingPrices, 0);
}

Tools Used

Manual review

The platformFee should be updated to include this excess amount in the calculation, just like it includes the remainder after shareHolderFee and shareCreatorFee.

https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L287

Assessed type

Math

#0 - c4-pre-sort

2023-11-18T04:12:23Z

minhquanym marked the issue as sufficient quality report

#1 - minhquanym

2023-11-18T04:12:52Z

Rounding issue with negligible amount

#2 - c4-pre-sort

2023-11-18T09:34:04Z

minhquanym marked the issue as duplicate of #19

#3 - c4-judge

2023-11-29T17:45:36Z

MarioPoneder changed the severity to QA (Quality Assurance)

#4 - c4-judge

2023-11-29T22:41:41Z

MarioPoneder marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter