Back to rouhsamad's contests

Revolution Protocol - rouhsamad's results

A protocol to empower communities to raise funds, fairly distribute governance, and maximize their impact in the world.

General Information

Platform: Code4rena

Start Date: 13/12/2023

Pot Size: $36,500 USDC

Total HM: 18

Participants: 110

Period: 8 days

Judge: 0xTheC0der

Id: 311

League: ETH

Collective

Findings Distribution

Researcher Performance

Rank: 59/110

Findings: 1

Award: $51.14

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryCollective

Findings Information

🌟 Selected for report: osmanozdemir1

Also found by: 0xDING99YA, BARW, Brenzee, DanielArmstrong, KupiaSec, SpicyMeatball, bart1e, deepplus, haxatron, rouhsamad, rvierdiiev

Labels

bug
2 (Med Risk)
satisfactory
sponsor confirmed
sufficient quality report
duplicate-194

Awards

51.1381 USDC - $51.14

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-12-revolutionprotocol/blob/main/packages/revolution/src/ERC20TokenEmitter.sol#L187-L188

Vulnerability details

Impact

in buyToken function of ERC20TokenEmitter, a percentage of msg.value is used to mint tokens for creator and remaining amount will be used to mint tokens for buyers, however, the amount of tokens to be minted for buyers is calculated in a wrong way, because the tokens which were minted for creator (totalTokensForCreators) are not added to emittedTokenWad before calculating totalTokensForBuyers (tokens that are going to be minted for buyers), this wrong accounting of sold tokens results in exponential increase in price as noted in the documentation: Basically, a VRGDA contract dynamically adjusts the price of a token to adhere to a specific issuance schedule. If the emission is ahead of schedule, the price increases exponentially. If it is behind schedule, the price of each token decreases by some constant decay rate.

Proof of Concept

as you can see in below section of buyToken function, totalTokensForCreators should be added to emittedTokenWad before calculating totalTokensForBuyers

    //@audit Direct ETH for sending to creator
    uint256 creatorDirectPayment = ((msgValueRemaining - toPayTreasury) * entropyRateBps) / 10_000;

    //@audit tokens calculated for creator
    int totalTokensForCreators = ((msgValueRemaining - toPayTreasury) - creatorDirectPayment) > 0
        ? getTokenQuoteForEther((msgValueRemaining - toPayTreasury) - creatorDirectPayment)
        : int(0);

    //@audit tokens calculated for buyers, however, totalTokensForCreators is not added to emittedTokenWad
    int totalTokensForBuyers = toPayTreasury > 0 ? getTokenQuoteForEther(toPayTreasury) : int(0);

    // Transfer ETH to treasury and update emitted
    emittedTokenWad += totalTokensForBuyers;
    if (totalTokensForCreators > 0) emittedTokenWad += totalTokensForCreators;

Tools Used

Manual review

its suggested to put this line: if (totalTokensForCreators > 0) emittedTokenWad += totalTokensForCreators; before: int totalTokensForBuyers = toPayTreasury > 0 ? getTokenQuoteForEther(toPayTreasury) : int(0);

Assessed type

Math

#0 - c4-pre-sort

2023-12-23T00:48:07Z

raymondfam marked the issue as sufficient quality report

#1 - c4-pre-sort

2023-12-23T00:48:20Z

raymondfam marked the issue as duplicate of #194

#2 - c4-sponsor

2023-12-27T20:01:05Z

rocketman-21 (sponsor) confirmed

#3 - c4-judge

2024-01-06T14:02:27Z

MarioPoneder marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter