Canto Application Specific Dollars and Bonding Curves for 1155s - mahyar's results

Lines of code

https://github.com/code-423n4/2023-11-canto/blob/335930cd53cf9a137504a57f1215be52c6d67cb3/1155tech-contracts/src/bonding_curve/LinearBondingCurve.sol#L14-L25 https://github.com/code-423n4/2023-11-canto/blob/335930cd53cf9a137504a57f1215be52c6d67cb3/1155tech-contracts/src/Market.sol#L150-L189

Vulnerability details

Impact

In Market users can buy/sell tokens and as more tokens get created the price will rise due to the calculation of the price in LinearBondingCurve::getPriceAndFee(), however the problem is there is no timelock when user buys a token and s/he is able to sell the token immediately, this provide the opportunity for attacker frontrun a buy token from another user and after user's transaction got placed the price will go up and attacker can sell the bought tokens immediately with profit.

Proof of Concept

Imagine a user who wants to buy 10 tokens and the attacker notice this in the mempool and frontrun the tx by buying 10 tokens after user's transaction got placed attacker will sell his 10 tokens with profit

File: 2023-11-canto\1155tech-contracts\src\bonding_curve\LinearBondingCurve.sol
14:     function getPriceAndFee(uint256 shareCount, uint256 amount)
15:         external
16:         view
17:         override
18:         returns (uint256 price, uint256 fee)
19:     {
20:         for (uint256 i = shareCount; i < shareCount + amount; i++) {
21:             uint256 tokenPrice = priceIncrease * i;
22:             price += tokenPrice;
23:             fee += (getFee(i) * tokenPrice) / 1e18;
24:         }
25:     }

As you see the price on line 21 is multiplied by the tokenCount so since attacker bought tokens before the user he will be able to sell it with profit.

Tools Used

Manual review

Recommended Mitigation Steps

consider adding timelock when user buys tokens this way tokens can't be sold immediately

Assessed type

Other