Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-04-FRANKENCOIN-FINDINGS-ISSUES-805
HistoryApr 19, 2023 - 12:00 a.m.

The owner of position can mint zchf unlimitedly by becoming the challenger that successfully challenges their own position to receive unlimit reward.

2023-04-1900:00:00
Code4rena
github.com
4
minting
owner
challenger
reward
bypassing
vulnerability
JSON

Lines of code
<https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/Position.sol#L329-L354&gt;
<https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/MintingHub.sol#L252-L276&gt;

Vulnerability details

Summary

The owner of position can become the challenger of his position and end the challenge within the same block after the open the position to earn unlimited reward. By executing within the same block, the owner could prevent the intervention of other entities such as the voters, other challengers, and bidders.

POC

-To guarantee that there is no intervention of the other bidder, the owner could create a position and set _challengeSeconds to 0.

-After successfully create the position, the owner then launchChallenge within the same block of creation of position and set _collateralAmount of challenger to be equal to collateral amount of position

<https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/MintingHub.sol#L252-L276&gt;

-After launching the challenge, within the same block, the owner then can end the auction which will pass because challenger.end is equal to block.timestamp of the creation of position and launching of challenge.

-The challenger’s collateral will return to the challenger (the owner) in line 257

-Since challenge.bidder is address zero (because noone bid yet), the recipient is msg.sender (the owner who initiates this function) in line 259. The collateral in the position of owner will then flow to himself. Now all the costs are covered

<https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/Position.sol#L329-L354&gt;

-Apart from sending collateral back to the owner, the function challenge.position.notifyChallengeSucceeded will produce the volume equal to the size of challenge * price. As in line 347 which will be used to calculate the reward for winning the challenge

<https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/MintingHub.sol#L252-L276&gt;

-In line 269, because ‘’’efffectiveBidis zero due to no bid,fundsNeeded will always be larger which triggers notifyLoss which allows the owner to mint zchf by bypassing minting restriction.

-With this method owner will get his collateral from the position and challenge back as well as the reward of winning challenge.

Mitigation

-Add time restriction on end function to allow some gap for other participants or voters to be involve with the position.

The text was updated successfully, but these errors were encountered:

All reactions

JSON