Frankencoin - markus_ether's results

Lines of code

https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/Equity.sol#L309-L315

Vulnerability details

Impact

The restructureCapTable function is designed to wipe the balances of other accounts in the event that the system is at high risk and FPS holders want to restructure the system. It takes as input an array called addressesToWipe containing the addresses whose balances should be burned. However, the current implementation of the function only burns the balance of the first address in the array, leaving all others untouched. This could lead to unexpected scenarios where balances are not properly burned, posing a significant risk to the system. While making multiple calls could be a solution, this would result in additional gas costs. Therefore, a more effective approach would be to update the function to correctly burn the balances of all addresses in the addressesToWipe array, thereby mitigating the risk posed by the current implementation.

Proof of Concept

In the code they loop over all addresses and try to set their balances to zero.

The code has a bug that causes it to always take the 0th address instead of the ith address during each iteration. As a result, only the balance of the first address is burned.

Tools Used

manual analysis

Recommended Mitigation Steps

To mitigate the issue, the loop in the restructureCapTablefunction should be updated to iterate over each address in theaddressesToWipe` array, and burn the balance of each account. This can be achieved by changing the loop to the following:

for (uint256 i = 0; i<addressesToWipe.length; i++){
    address current = addressesToWipe[i];
    _burn(current, balanceOf(current));
}

This will ensure that the balances of all accounts in the addressesToWipe array are burned.