Platform: Code4rena
Start Date: 13/11/2023
Pot Size: $24,500 USDC
Total HM: 3
Participants: 120
Period: 4 days
Judge: 0xTheC0der
Id: 306
League: ETH
Rank: 100/120
Findings: 1
Award: $1.37
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: rvierdiiev
Also found by: 0x175, 0x3b, 0xMango, 0xarno, 0xpiken, Bauchibred, DarkTower, ElCid, Giorgio, HChang26, Kose, KupiaSec, Madalad, PENGUN, Pheonix, RaoulSchaffranek, SpicyMeatball, T1MOH, Tricko, Udsen, Yanchuan, aslanbek, ast3ros, bart1e, bin2chen, chaduke, d3e4, deepkin, developerjordy, glcanvas, inzinko, jasonxiale, jnforja, mahyar, max10afternoon, mojito_auditor, neocrao, nmirchev8, openwide, osmanozdemir1, peanuts, pep7siup, peritoflores, pontifex, rice_cooker, rouhsamad, t0x1c, tnquanghuy0512, turvy_fuzz, twcctop, ustas, vangrim, zhaojie, zhaojohnson
1.3743 USDC - $1.37
https://github.com/code-423n4/2023-11-canto/blob/335930cd53cf9a137504a57f1215be52c6d67cb3/1155tech-contracts/src/Market.sol#L150-L169 https://github.com/code-423n4/2023-11-canto/blob/335930cd53cf9a137504a57f1215be52c6d67cb3/1155tech-contracts/src/Market.sol#L174-L189
Market.sol is using a bonding curve, which ensures that the price of the token increases in a linear fashion as more tokens (shares) are minted or purchased. This means that the ones who mint earlier would pay less and would benefit more of the price and fees that next participants will pay.
The problem here is the well know Sandwich attack, which is possible using front-running user transaction, if it is beneficial for another user. The benefit here comes from the formula, which charges minter greater amount of the underlying token depending on the total minted amount of shares. The same stays for selling options. Whoever sell first, he receives greater amount. If an attacker combine both approaches, he could frontrun a depositor, so he mint large amount of shares, which would give him leverage for his victim's original transaction. The attacker can then immediately sell his shares for larger price. The impact is high, because the attacker could use big amount, which would result is larger paid funds for victim. Also it could result in user funds loss, if a depositor with larger share balance frontruns original user sell transaction, which would otherwise be beneficial for him (him = victim, original seller, who have benefit, only if another sell does not happen before his).
Here is a gist with a test, which you should paste inside 1155tech-contracts/src/test/Market.t.sol and run it using forge test --match-contract testSandwichLeverage
Manual Review
Implement a slippage check when a user is executing a buy, or sell transaction.
Also a user can provide an count for the tokens, when he initiates the transaction and later revert if this param mismatch the token count inside the execution.
Example:
function buy(uint256 _id, uint256 tokenCountBeforeBuying, uint256 _amount) external { require(tokenCountBeforeBuying == shareData[_id].tokenCount, "Token count missmatch"); require(shareData[_id].creator != msg.sender, "Creator cannot buy"); ... continue original transaction }
MEV
#0 - c4-pre-sort
2023-11-18T09:50:53Z
minhquanym marked the issue as duplicate of #12
#1 - c4-judge
2023-11-28T23:14:14Z
MarioPoneder changed the severity to 2 (Med Risk)
#2 - c4-judge
2023-11-28T23:26:21Z
MarioPoneder marked the issue as satisfactory