Back to hihen's contests

Frankencoin - hihen's results

A decentralized and fully collateralized stablecoin.

General Information

Platform: Code4rena

Start Date: 12/04/2023

Pot Size: $60,500 USDC

Total HM: 21

Participants: 199

Period: 7 days

Judge: hansfriese

Total Solo HM: 5

Id: 231

League: ETH

Frankencoin

Findings Distribution

Researcher Performance

Rank: 94/199

Findings: 1

Award: $33.83

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryFrankencoin

Findings Information

🌟 Selected for report: Ruhum

Also found by: 7siech, DadeKuma, J4de, Lirios, deliriusz, foxb868, hihen, juancito, ladboy233, rbserver, santipu_, zaevlad

Labels

bug
2 (Med Risk)
satisfactory
duplicate-230

Awards

33.835 USDC - $33.83

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/Frankencoin.sol#L125 https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/Frankencoin.sol#L83 https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/Frankencoin.sol#L266

Vulnerability details

Impact

If a minter or position account is compromised, the contract will be attacked without any rescue measures.

Proof of Concept

Any Frankencoin minter or position account set by a minter can call mint and burn operations at will.

For example, the following functions can be called by minterOnly:

  function mint(address _target, uint256 _amount, uint32 _reservePPM, uint32 _feesPPM) override external minterOnly {`
  function mint(address _target, uint256 _amount) override external minterOnly {`
  function burn(uint256 amount, uint32 reservePPM) external override minterOnly {`
  function burnFrom(address payer, uint256 targetTotalBurnAmount, uint32 _reservePPM) external override minterOnly returns (uint256) {`
  function burnWithReserve(uint256 _amountExcludingReserve, uint32 _reservePPM) external override minterOnly returns (uint256) {`
  function burn(address _owner, uint256 _amount) override external minterOnly {`

The definition of minterOnly() is as follows:

   modifier minterOnly() {
      if (!isMinter(msg.sender) && !isMinter(positions[msg.sender])) revert NotMinter();
      _;
   }

This means that every minter and position account has permissions. And there is no place in the code to log out or delete a minter or position.

So if a valid minter or position account is compromised, a hacker can call these functions at any time to launch an attack. Even if the community or the minters themselves find out about this problem, there is no remedy. Because the Frankencoin contract cannot invalidate a minter or position.

Tools Used

VS Code

We should add the ability to remove minter and cancel positions to Frankencoin. A minter should be able to cancel any position, and the community should be able to vote to delete a minter.

#0 - c4-pre-sort

2023-04-28T10:37:48Z

0xA5DF marked the issue as duplicate of #230

#1 - c4-judge

2023-05-18T13:41:07Z

hansfriese marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter