Open code423n4 opened 1 year ago
0xA5DF marked the issue as primary issue
I have some doubts about severity (and validity of the issue), since nobody really lost any funds here. The protocol basically had equity before there were any FPS holders, so the first to mint FPS got it (we can enforce the amount sent for first mint to be bigger than zero, but that wouldn't make a significant difference)
This would only be an issue immediately after the deployment of the frankencoin contracts before it was properly initialized.
luziusmeisser marked the issue as sponsor disputed
hansfriese changed the severity to QA (Quality Assurance)
hansfriese marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/Frankencoin.sol#L83 https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/Equity.sol#L241
Vulnerability details
Impact
The minter role has very high privilege, so application fees are charged for suggest someone to be a minter. However, anyone can suggest minters for free by using the application fees to mint FPS.
Specifically, the function
suggestMinter
charges a application fees through_transfer
them from msg.sender to reserve. It makes the amount of equity increase. An attacker can using this equity to mint FPSs by calling the functiontransferAndCAll
in the contractFrankencoin
with 0 amount toEquity
. Then waiting for some time to redeem them all.Proof of Concept
https://github.com/jan91e/2023-04-frankencoin/blob/issue3/test/BasicTests.ts (Will public after the competitions)
the exploit contract:
the test script:
the result:
Tools Used
manually
Recommended Mitigation Steps
Update the minterReserveE6 after suggest minters.