Frankencoin - rvierdiiev's results

Lines of code

https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Equity.sol#L313

Vulnerability details

Impact

Equity.restructureCapTable function removes only 1 address balance and leave other passive holders with their shares.

Proof of Concept

There is a bug inside Equity.restructureCapTable function. https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Equity.sol#L313

    function restructureCapTable(address[] calldata helpers, address[] calldata addressesToWipe) public {
        require(zchf.equity() < MINIMUM_EQUITY);
        checkQualified(msg.sender, helpers);
        for (uint256 i = 0; i<addressesToWipe.length; i++){
            address current = addressesToWipe[0];
            _burn(current, balanceOf(current));
        }
    }

The function loops through the addressesToWipe array, but it always takes addressesToWipe[0], which is first element. Because of that it actually doesn't remove balances of another addresses and as result passive FPS holders still have shares inside the Equity contract after the function call.

Tools Used

VsCode

Recommended Mitigation Steps

Use addressesToWipe[i] to get element.

Lines of code

https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/MintingHub.sol#L140-L148 https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/MintingHub.sol#L208-L214 https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Position.sol#L312

Vulnerability details

Impact

Attacker can block positions to make them liquidatable without cost

Proof of Concept

When challenge is started, then position is blocked and owner can't withdraw collateral, change price, mint/burn zchf tokens. Everytime someone bids, then position.tryAvertChallenge function is called. It tries to check if price is good. https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Position.sol#L304-L317

    function tryAvertChallenge(uint256 _collateralAmount, uint256 _bidAmountZCHF) external onlyHub returns (bool) {
        if (block.timestamp >= expiration){
            return false; // position expired, let every challenge succeed
        } else if (_bidAmountZCHF * ONE_DEC18 >= price * _collateralAmount){
            // challenge averted, bid is high enough
            challengedAmount -= _collateralAmount;
            // Don't allow minter to close the position immediately so challenge can be repeated before
            // the owner has a chance to mint more on an undercollateralized position
            restrictMinting(1 days);
            return true;
        } else {
            return false;
        }
    }

In case if the price is sound, then restrictMinting(1 days) is called, which leaves positon freezed for 1 more day. Then challenger collateral is sent to bidder and bidder's amount is sent to challenger. This should be a mechanism that will prevent from user to create fake challenges.

But in case if attacker will be both challenger and bidder, then he will not face any material loss. Attacker can use next steps to block position until it becomes liquidatable: 1.Create challenge with sound price. 2.Then bid to block position for 1 day. 3.Repeat till price has changed and liquidate position. 4.Position was blocked all the time, so couldn't change price and became liquidatable.

Tools Used

VsCode

Recommended Mitigation Steps

I don't know good solution.