Canto Application Specific Dollars and Bonding Curves for 1155s - merlinboii's results
Tokenizable bonding curves using a Stablecoin-as-a-Service token
General Information
Platform: Code4rena
Start Date: 13/11/2023
Pot Size: $24,500 USDC
Total HM: 3
Participants: 120
Period: 4 days
Judge: 0xTheC0der
Id: 306
League: ETH
Findings Distribution
Researcher Performance
Rank: 74/120
Findings: 1
Award: $4.08
🌟 Selected for report: 0
🚀 Solo Findings: 0
Findings Information
🌟 Selected for report: chaduke
Also found by: 0xpiken, Bauchibred, Matin, MohammedRizwan, MrPotatoMagic, OMEN, Pheonix, SandNallani, T1MOH, Topmark, ZanyBonzy, adriro, aslanbek, ayden, bareli, bart1e, bin2chen, btk, cheatc0d3, codynhat, critical-or-high, d3e4, erebus, firmanregar, hunter_w3b, jasonxiale, kaveyjoe, ksk2345, lsaudit, max10afternoon, merlinboii, nailkhalimov, osmanozdemir1, peanuts, pep7siup, pontifex, sbaudh6, shenwilly, sl1, tourist, wisdomn_, young, zhaojie
Awards
4.0797 USDC - $4.08
Labels
External Links
Lines of code
https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L226-L241
Vulnerability details
Risk: Medium
- Impact: High
- Likelihood: Low
Related Files
Impact
Indirect Share Participation with Less Payout allows NFT holders, in addition to regular shareholders, to burn the NFT. This enables them to participate indirectly (through burnNFT()) in specific shares with less payout than direct participation through buy().
Vulnerabilities
The Market contract allows not only the holder of a share to burn the NFT token, conflicting with what is described in the project details.
By calling the burnNFT function, callers who do not hold shares can participate in a specific share by paying only the required fee for burning their owned NFT.
227: uint256 fee = getNFTMintingPrice(_id, _amount); 228: 229: SafeERC20.safeTransferFrom(token, msg.sender, address(this), fee);
Consequently, this creates a vulnerability in indirect share participation with less payout, which may be considered unfair to other holders.
Proof of Concept
Assuming that Alice and Bob each hold some tokens for payment, and Bob has not participated in any shares:
- The creator creates a new share, and let's assume the share ID is 1.
- Alice purchases one share from Share ID 1 using her tokens via the
buyfunction. - Alice mints a 1:1 ERC-1155 NFT corresponding to the purchased share.
- Alice transfers the NFT to Bob by any method or reasoning, allowing Bob to become the owner of the NFT.
- 💣 Bob, who does not currently hold any shares, decides to burn the NFT via the
burnNFTfunction. In this process, he only pays the fee required to participate.
Consequence:
- By burning the NFT, Bob participates in Share ID 1, paying only the required fee, which is less than the normal cost of participation.
Resources
- PoC code: https://gist.github.com/filmptz/0b964a10eb481d28baeb39c6e23cf7e2
- The result of the test:
Tools Used
- Manual Review
- Foundry
Recommended Mitigation Steps
- If the intention is not to allow a mechanism for participants like Bob to access shares at a reduced price, consider applying the restriction that only the holders of the shares can call
burnNFT. - If the intention is to provide a mechanism for participants like Bob to access shares at a reduced price, carefully consider the fairness implications.
The recommendation should be considered in alignment with the project's business requirements, and any updates should be tested to ensure they meet the specific needs of the project.
Assessed type
Invalid Validation
#0 - c4-pre-sort
2023-11-18T16:09:37Z
minhquanym marked the issue as sufficient quality report
#1 - c4-sponsor
2023-11-27T11:18:18Z
OpenCoreCH (sponsor) disputed
#2 - OpenCoreCH
2023-11-27T11:22:46Z
If Alice sells the NFT to Bob, the price should be (at least) 90% of the current market price, anything lower than that opens up arbitrage opportunities. But that's no vulnerability or unfairness, that's just the primary market which sets a floor on the secondary market by having a buyback mechanism, i.e. a mechanism that exists in many protocols / markets.
#3 - MarioPoneder
2023-11-29T14:45:10Z
Although I acknowledge the concerns outlined in the report, this rather a design choice and market mechanics than an explicit bug of the protocol per se, therefore QA seems appropriate.
#4 - c4-judge
2023-11-29T14:45:16Z
MarioPoneder changed the severity to QA (Quality Assurance)
#5 - c4-judge
2023-11-29T22:41:15Z
MarioPoneder marked the issue as grade-b