Revolution Protocol - passteque's results

Lines of code

https://github.com/code-423n4/2023-12-revolutionprotocol/blob/d42cc62b873a1b2b44f57310f9d4bbfdd875e8d6/packages/revolution/src/ERC20TokenEmitter.sol#L152-L156

Vulnerability details

Impact

The buyToken function within the ERC20TokenEmitter contract allows users to acquire the governance token using a VRGDA. This function lacks any form of slippage control, which becomes significant in the context of the buyToken function, as the token's price increases exponentially when the supply surpasses the schedule.

Proof of concept

As can be observed by looking at its parameters and implementation, the buyToken function of the ERC20TokenEmitter contract, doesn’t have any type of slippage protection:

    function buyToken(
        address[] calldata addresses,
        uint[] calldata basisPointSplits,
        ProtocolRewardAddresses calldata protocolRewardsRecipients
    ) public payable nonReentrant whenNotPaused returns (uint256 tokensSoldWad) {

This means that users have no control over the number of ERC20 tokens they will receive. Due to the exponential pricing function, there is an incentive to delay token purchases as much as possible.

For instance, if Alice intends to use the buyToken function and has either set a low gas usage or is outpaced by a more sophisticated user, she could end up with far fewer tokens than anticipated.

Tools Used

Manual Review

Recommended Mitigation Steps

An additional parameter could be added to the buyToken function, to let users decide the minimum amount of tokens to be received, with a relative check after minting.

Assessed type

Other