Platform: Code4rena
Start Date: 12/04/2023
Pot Size: $60,500 USDC
Total HM: 21
Participants: 199
Period: 7 days
Judge: hansfriese
Total Solo HM: 5
Id: 231
League: ETH
Rank: 107/199
Findings: 2
Award: $22.67
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: decade
Also found by: 0x3b, 0xDACA, 0xWaitress, 0xWeiss, 0xkaju, Arz, Aymen0909, BPZ, EloiManuel, HaCk0, J4de, Jerry0x, Jiamin, John, Juntao, Kek, Lalanda, MiloTruck, Mukund, PNS, RedTiger, Ruhum, Satyam_Sharma, ToonVH, Tricko, Udsen, ak1, anodaram, bin2chen, carrotsmuggler, cccz, circlelooper, deadrxsezzz, giovannidisiena, jasonxiale, joestakey, juancito, karanctf, kenta, kodyvim, ladboy233, lil_eth, lukino, markus_ether, marwen, mrpathfindr, nobody2018, parlayan_yildizlar_takimi, peakbolt, ravikiranweb3, rbserver, rvierdiiev, silviaxyz, volodya, zhuXKET, zzebra83
0.0748 USDC - $0.07
https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Equity.sol#L313
In Equity contract restructureCapTable aims to restructure the system after a devastating loss but fails to burn all participating members token.
Which affects the efforts to restructure the system after a devastating loss since only the token of the first address would be burnt.
function restructureCapTable(address[] calldata helpers, address[] calldata addressesToWipe) public { require(zchf.equity() < MINIMUM_EQUITY); checkQualified(msg.sender, helpers); for (uint256 i = 0; i<addressesToWipe.length; i++){ address current = addressesToWipe[0];//@audit-issue only the first address _burn(current, balanceOf(current)); } }
Manuel Review
Replace addressesToWipe[0] to addressesToWipe[i]
#0 - c4-pre-sort
2023-04-20T14:24:29Z
0xA5DF marked the issue as duplicate of #941
#1 - c4-judge
2023-05-18T14:28:48Z
hansfriese marked the issue as satisfactory
🌟 Selected for report: juancito
Also found by: 0xAgro, 0xNorman, 0xSmartContract, 0xStalin, 0xTheC0der, 0xWaitress, 0xhacksmithh, 0xnev, 3dgeville, 8olidity, Arz, Aymen0909, BGSecurity, BRONZEDISC, Bauchibred, Bauer, BenRai, ChainHunters, ChrisTina, CodeFoxInc, DedOhWale, DishWasher, EloiManuel, IceBear, Inspex, Jorgect, Kaysoft, LeoGold, LewisBroadhurst, Madalad, MiloTruck, MohammedRizwan, Nyx, Polaris_tow, RaymondFam, SaharDevep, SanketKogekar, Sathish9098, SolidityATL, Udsen, W0RR1O, aria, ayden, berlin-101, bin2chen, catellatech, codeslide, crc32, decade, descharre, evmboi32, eyexploit, fatherOfBlocks, georgits, giovannidisiena, joestakey, karanctf, kodyvim, ltyu, lukris02, m9800, matrix_0wl, mov, mrpathfindr, nadin, niser93, p0wd3r, parlayan_yildizlar_takimi, pavankv, pontifex, qpzm, ravikiranweb3, rbserver, santipu_, shealtielanz, slvDev, tnevler, wonjun, xmxanuel, yixxas
22.6007 USDC - $22.60
suggestMinter can be initially frontrunned.https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Frankencoin.sol#L83
suggestMinter does the following check.
if (_applicationPeriod < MIN_APPLICATION_PERIOD && totalSupply() > 0) revert PeriodTooShort(); if (_applicationFee < MIN_FEE && totalSupply() > 0) revert FeeTooLow(); if (minters[_minter] != 0) revert AlreadyRegistered();
This means during deployment totalSupply() would be zero, an attacker or bot monitoring the mempool for such transaction could frontrun the call to suggestMinter setting their own minter address with _applicationPeriod = 0 and _applicationFee = 0, this would bypass the check since && is used.
Recommendation:
Add a check if (totalSupply() == 0 && msg.sender != INITIAL_DEPLOYER) revert NOT_AUTHORIZED; to the suggestMinter function, with this you can also remove the other checks for totalSupply() saving gas as well.
expectedSize parameter does not guard against frontrunners.https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/MintingHub.sol#L199 This parameter does not guard against frontrunners since MEV bot could read the calldata or follow the evm traces.
Follow a commit-Reveal Scheme.
#0 - 0xA5DF
2023-04-26T19:26:48Z
#1 is dupe of #921 #2 seems wrong
#1 - c4-judge
2023-05-16T16:29:42Z
hansfriese marked the issue as grade-b