Canto Application Specific Dollars and Bonding Curves for 1155s - tourist's results

Lines of code

https://github.com/code-423n4/2023-11-canto/blob/335930cd53cf9a137504a57f1215be52c6d67cb3/asD/src/asDFactory.sol#L25 https://github.com/code-423n4/2023-11-canto/blob/335930cd53cf9a137504a57f1215be52c6d67cb3/1155tech-contracts/src/Market.sol#L123

Vulnerability details

Impact

The _cNote parameter in asD contract's constructor and _bondingCurve parameter in Market contact's createNewShare function are not checked for zero value.

The asD contract addresses will be stored in asDFactory's isAsD mapping. The shares will be stored in shareIDs and shareData mappings. There are no functionality to update/remove for both of the parameters.

The Canto team confirmed by private DM that the mappings will be used by off-chain applicatons (frontend) to show the data to the user. Most of the off-chain applications will read the data from mappings without checking for zero values for cNote and bondingCurve parameters, which will lead to unnecessary gas usage from users, because many of the functions will revert.

I am adding it as a Medium risk, because of this paragraph from Code4rena docs: "2 — Med: Assets not at direct risk, but the function of the protocol or its availability could be impacted..."

Proof of Concept

The test case is for asD's mint function, but gas usage will be similar or more for other functions.

1. Declare asD contract object in asD.t.sol

contract asDFactory is Test {
    asD asdToken;
    asD asdTokenZeroCNote;
    ...

2. Add below lines in setUp function in asD.t.sol

function setUp() public {
    ...
    asdTokenZeroCNote = new asD(
            asDName,
            asDSymbol,
            owner,
            address(0x0),
            owner
     );
     uint256 mintAmount = 10e18;
     NOTE.mint(address(this), mintAmount);

     NOTE.approve(address(asdTokenZeroCNote), mintAmount);

3. Add testMintZeroCNote function in asD.t.sol file

function testMintZeroCNote() public {
    asdTokenZeroCNote.mint(10e18);
}

4. Run only the new test case with forge test --match-test "testMintZeroCNote"

5. Test result:

Running 1 test for src/test/asD.t.sol:asDFactory
[FAIL. Reason: EvmError: Revert] testMintZeroCNote() (gas: 8647)
Test result: FAILED. 0 passed; 1 failed; 0 skipped; finished in 2.06ms
 
Ran 1 test suites: 0 tests passed, 1 failed, 0 skipped (1 total tests)

Tools Used

Foundry, Manual review

Recommended Mitigation Steps

Add zero address check for both of the parameters.

Assessed type

Invalid Validation