However the function does not track whether a clone token is already minted for a particular KUMABondToken id. This can be misused by an attacker to mint multiple clone tokens for same KUMABondToken id by invoking the buyBond function multiple times.
Please note that every buyBond call cost the attacker realizedBondValue KIBToken amount.
Proof of Concept
Consider this scenario:
KUMABondToken with id 1 was sold to the KUMASwap contract.
Assume that for this token id the bondFaceValue is greater than realizedBondValue.
Attacker invokes the buyBond function with token id 1 as input. This mints a clone KBCToken token to the attacker.
Attacker invokes the buyBond functionn again with token id 1 as input. This again mints another clone KBCToken token to the attacker.
Tools Used
Manual review
Recommended Mitigation Steps
Consider tracking the already minted KBCToken tokens so that their double minting can be prevented.
Lines of code
https://github.com/code-423n4/2023-02-kuma/blob/main/src/kuma-protocol/KUMASwap.sol#L177
Vulnerability details
Impact
The
KUMASwap.buyBond
mints KBCTokens clone token for every KUMABondToken whosebondFaceValue
is greater thanrealizedBondValue
.However the function does not track whether a clone token is already minted for a particular KUMABondToken id. This can be misused by an attacker to mint multiple clone tokens for same KUMABondToken id by invoking the
buyBond
function multiple times.Please note that every
buyBond
call cost the attackerrealizedBondValue
KIBToken amount.Proof of Concept
Consider this scenario:
bondFaceValue
is greater thanrealizedBondValue
.buyBond
function with token id 1 as input. This mints a clone KBCToken token to the attacker.buyBond
functionn again with token id 1 as input. This again mints another clone KBCToken token to the attacker.Tools Used
Manual review
Recommended Mitigation Steps
Consider tracking the already minted KBCToken tokens so that their double minting can be prevented.