Back to rice_cooker's contests

Canto Application Specific Dollars and Bonding Curves for 1155s - rice_cooker's results

Tokenizable bonding curves using a Stablecoin-as-a-Service token

General Information

Platform: Code4rena

Start Date: 13/11/2023

Pot Size: $24,500 USDC

Total HM: 3

Participants: 120

Period: 4 days

Judge: 0xTheC0der

Id: 306

League: ETH

Canto

Findings Distribution

Researcher Performance

Rank: 118/120

Findings: 1

Award: $1.37

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCanto

Findings Information

🌟 Selected for report: rvierdiiev

Also found by: 0x175, 0x3b, 0xMango, 0xarno, 0xpiken, Bauchibred, DarkTower, ElCid, Giorgio, HChang26, Kose, KupiaSec, Madalad, PENGUN, Pheonix, RaoulSchaffranek, SpicyMeatball, T1MOH, Tricko, Udsen, Yanchuan, aslanbek, ast3ros, bart1e, bin2chen, chaduke, d3e4, deepkin, developerjordy, glcanvas, inzinko, jasonxiale, jnforja, mahyar, max10afternoon, mojito_auditor, neocrao, nmirchev8, openwide, osmanozdemir1, peanuts, pep7siup, peritoflores, pontifex, rice_cooker, rouhsamad, t0x1c, tnquanghuy0512, turvy_fuzz, twcctop, ustas, vangrim, zhaojie, zhaojohnson

Awards

1.3743 USDC - $1.37

Labels

bug
2 (Med Risk)
satisfactory
duplicate-12

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-11-canto/blob/335930cd53cf9a137504a57f1215be52c6d67cb3/1155tech-contracts/src/Market.sol#L150-L169 https://github.com/code-423n4/2023-11-canto/blob/335930cd53cf9a137504a57f1215be52c6d67cb3/1155tech-contracts/src/Market.sol#L174-L189 https://github.com/code-423n4/2023-11-canto/blob/335930cd53cf9a137504a57f1215be52c6d67cb3/1155tech-contracts/src/Market.sol#L203-L221 https://github.com/code-423n4/2023-11-canto/blob/335930cd53cf9a137504a57f1215be52c6d67cb3/1155tech-contracts/src/Market.sol#L226-L241

Vulnerability details

Impact

In Market contract, there's no slippage protection the four function: Market::buy(), Market::sell(), Market::mintNFT(), Market::burnNFT(). Based on that, malicious user can attack vulnerable user using sandwich attack.

Proof of Concept

The path of the attack can be this:

  • For the selling case: malicious user will frontrun by executing sell(), make the vulnerable user sell() received less than expected. After that malicious user will backrun by executing buy()
  • For the buying case: malicious user will frontrun by executing buy(), make the vulnerable user buy() spend more token than expected. After that malicious user will backrun by executing sell()
  • For the minting and burning NFT case: malicious user will not earn anything from this. But they can do sandwich attack to make user spend more fee for minting/burning

Tools Used

Manual review

Add upperbound for spending in buy() and mintNFT and burnNFT, add lowerbound for receiving in sell()

Assessed type

Other

#0 - c4-pre-sort

2023-11-18T09:52:18Z

minhquanym marked the issue as duplicate of #12

#1 - c4-judge

2023-11-28T23:27:03Z

MarioPoneder marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter