Canto Application Specific Dollars and Bonding Curves for 1155s - pep7siup's results

Lines of code

https://github.com/code-423n4/2023-11-canto/tree/main/1155tech-contracts/src/Market.sol#L150 https://github.com/code-423n4/2023-11-canto/tree/main/1155tech-contracts/src/Market.sol#L174

Vulnerability details

Impact

The vulnerability arises from the absence of slippage protection in the buy/sell functions of the smart contract. This exposes users to unintended consequences, where the token price, influenced by a bonding curve, may not align with their expectations. This unintentional scenario occurs when users are unable to specify an acceptable price target during transactions, leading to potential overpayment.

Proof of Concept

1. Alice intends to buy tokens at her target price of 10.
2. Other users unintentionally influence the price by buying 50 tokens just before Alice's transaction, pushing the price to 50 * increaseStep higher.
3. Alice's transaction executes, and she ends up paying more than expected due to the unintended price shift caused by the other users.

Tools Used

Manual Review

Recommended Mitigation Steps

To mitigate this critical vulnerability, it is advised to introduce slippage protection in the buy/sell functions. This safeguard empowers users to set an acceptable price range, preventing unintentional consequences and ensuring transactions align with their anticipated costs.

Assessed type

MEV

Lines of code

https://github.com/code-423n4/2023-11-canto/tree/main/1155tech-contracts/src/Market.sol#L118

Vulnerability details

Impact

The createNewShare function in the 1155Tech Market contract allows for the creation of shares susceptible to reorg attacks on certain chains like Arbitrum, Optimism, and Polygon.

Sponsor confirmed 1155tech could be deployed on different chain:

The impact is severe, as a malicious actor can exploit the reorg vulnerability during the share market listing event. If users rely on share IDs obtained in advance and initiate buy actions based on them, a malicious actor could frontrun the process during a reorg, resulting in the unauthorized sale of shares and the theft of user funds.

Proof of Concept

1. Alice starts a new share market and promotes her share ID.
2. Users obtain the share ID and initiate buy actions based on it.
3. Bob notices a reorg, frontruns createNewShare to obtain the share ID.
4. Alice's createNewShare is executed, assigning a new share ID (+1).
5. Users' pendinbuy transactions execute, unintentionally buying shares from Bob, leading to unintended profits for Bob.

Tools Used

Manual Review

Recommended Mitigation Steps

To address this critical vulnerability, it is recommended to add a warm-up period to shareData before buy/sell transactions can take place. This ensures that a sufficient amount of time has passed, making reorg attacks impossible during the creation of new shares.

References

• Report on Reorg Attack

Assessed type

MEV