Platform: Code4rena
Start Date: 13/11/2023
Pot Size: $24,500 USDC
Total HM: 3
Participants: 120
Period: 4 days
Judge: 0xTheC0der
Id: 306
League: ETH
Rank: 99/120
Findings: 1
Award: $1.37
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: rvierdiiev
Also found by: 0x175, 0x3b, 0xMango, 0xarno, 0xpiken, Bauchibred, DarkTower, ElCid, Giorgio, HChang26, Kose, KupiaSec, Madalad, PENGUN, Pheonix, RaoulSchaffranek, SpicyMeatball, T1MOH, Tricko, Udsen, Yanchuan, aslanbek, ast3ros, bart1e, bin2chen, chaduke, d3e4, deepkin, developerjordy, glcanvas, inzinko, jasonxiale, jnforja, mahyar, max10afternoon, mojito_auditor, neocrao, nmirchev8, openwide, osmanozdemir1, peanuts, pep7siup, peritoflores, pontifex, rice_cooker, rouhsamad, t0x1c, tnquanghuy0512, turvy_fuzz, twcctop, ustas, vangrim, zhaojie, zhaojohnson
1.3743 USDC - $1.37
https://github.com/code-423n4/2023-11-canto/blob/335930cd53cf9a137504a57f1215be52c6d67cb3/1155tech-contracts/src/Market.sol#L150-L169 https://github.com/code-423n4/2023-11-canto/blob/335930cd53cf9a137504a57f1215be52c6d67cb3/1155tech-contracts/src/bonding_curve/LinearBondingCurve.sol#L14-L25
The structure or should i say the whole concept of this protocol, makes it seems, that the only way holders can make passive income is if other people joins in the protocol and buys tokens, too, this will get them paid through fees and also the price of their tokens will also increase, if they choose to sell, as the protocol implements a linear price increase method, where more tokens equal higher prices and also with that comes the fees that are a percent of the prices. All this creates the perfect opportunities for MEVers, to target honest protocol participants, as a huge number of tokens deposited more fees and higher prices for the previous holders, a MEV, frontrunner could go ahead after spotting the transaction of a huge tokens purchase, make a huge token purchase of theirs increasing the total supply of tokens, hereby increasing the price at which the honest participants, will purchase theirs, which will also lead to higher fees depending on the level of token supply reached in the protocol.
The Concept of the Bonding Curve, in which the price of purchase hinges on the amount of the supply of tokens, actually facilitates this sort of action, due to its transparency and predictable pricing mechanisms.In bonding curve models, the price of tokens is algorithmically determined based on supply. Buying tokens increases the price, while selling decreases it. This predictable price change means that anyone observing a large pending buy order knows that the token price will increase once that order is executed.
I have already made a description of how the environment created by the protocol will in some way encourage actions like MEVing, and other Value extractable action, but let's explore an actual example description of it happening to get a good description of it happening .
Malicious User Targeting a Honest User Buy Transaction
Malicious User: Alice Victim: Bob
function buy(uint256 _id, uint256 _amount) external
This is a large enough order to significantly move the price on the bonding curve. The transaction is pending in the mempool.
Alice calculates that this order will increase the token price from, say, 100 tokens to 200 tokens. This is for simplicity as in practice the price of tokens may rarely reach this level, but the fundamental attack process still stands.
function getPriceAndFee(uint256 shareCount, uint256 amount) external view override returns (uint256 price, uint256 fee) { for (uint256 i = shareCount; i < shareCount + amount; i++) { uint256 tokenPrice = priceIncrease * i; price += tokenPrice; fee += (getFee(i) * tokenPrice) / 1e18; } }
Alice spots The Opportunity to Both Profit of the Price Increase that will, happen as a results of that buy, not only that by getting in earlier they stand a chance to receive the fees that will be distributed to the holders irrespective of when they started to hold the tokens
Alice Frontruns this Transaction to Also Purchase 500 tokens hereby increasing the price of the token from her own buy.
Due to this Buy from users like alice the price to purchase the 1000 tokens for bob as increased which mean the price he expected to buy them and the price that actually will execute the transaction has significantly increased, on top of that the fees the user will additionally pay will also increase, to a price at which Bob may not be willing to purchase them.
Bob May Think About Selling the Tokens Instantly, But the Fees he will Pay again to make that sale, will give him second thoughts, and also Alice may have just Dumped her Entire Buy again dropping the price.
The Huge Impact that this could be Done repeatedly by MEVers until they find that profit score to different honest users may cause an unhealthy environment for users to invest their money into. Taking this Kind of Considerations in to assign the kind of severity, it should be utmost important to solve, as it deals with the protocols Integrity and Functionality.
Manual Analysis
Introduce a Price Deviation acceptance system, where the users get to decide that, this is the highest price i am willing to pay in purchase of this number of tokens after showing them the current price each tokens are being sold and how they increase with their amount with the getPrice function. The owner will now make a decision if they are willing to pay more in any case even if malicious actors come into the picture. This means if the price goes higher than what they are willing to accept the transaction should revert and not go through. I think this will be the best way to prevent Unexpected Financial loss.
MEV
#0 - c4-pre-sort
2023-11-18T10:44:49Z
minhquanym marked the issue as duplicate of #12
#1 - c4-judge
2023-11-28T23:14:14Z
MarioPoneder changed the severity to 2 (Med Risk)
#2 - c4-judge
2023-11-28T23:37:45Z
MarioPoneder marked the issue as satisfactory