Closed code423n4 closed 1 year ago
0xA5DF marked the issue as primary issue
0xA5DF marked the issue as low quality report
It's the minter's responsibility to burn the tokens with the same reserve PPM as when it was created
hansfriese changed the severity to QA (Quality Assurance)
hansfriese marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Frankencoin.sol#L194-L197 https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Frankencoin.sol#L223-L229
Vulnerability details
Impact
In the
Frankencoin.burn()
function, the minter is allowed to burn the debt by burningZCHF
tokens and freeing and donating the respective minter reserve amount to the pool share holders.In the comment for the function implementation it says the following:
Minters calling this method are only allowed to so for tokens amounts they previously minted with the same _reservePPM amount.
But the above check for the
same _reservePPM
amount is never implemented in theFrankencoin.burn()
function. Hence the minter can input anyreservePPM
as the input parameter and increase theequity
portion of the reserve thus increasing the profit attributable to the pool share holders.If the
minter
himself is apool share holder
, he can use this to increase his portion of the profit.Even if the
minter
is not malicious, there is a possiblity he could input higher_reservePPM
by mistake, which could lead toincreased profit
attributable to the pool share holders. This is not the intended behaviour of the protocol.Similar issue is found in the
Frankencoin.burnFrom()
function as well. Here in the comment it is mentioned that same_reservePPM
used for the mint by the caller, should be used as_reservePPM
for this function as well.But it is not implemented within the function logic. Hence if by mistake the minter uses a higher
_reservePPM
as the input parameter, theassigned
value of the function will be higher than expected value. Hence moreZCHF
will be transfered to thepayer
from theminter reserve
.Hence the
payer
will get unfair advantage since he will repay less amount ofZCHF
tokens, more tokens will be paid from theminter reserve
at the expense of other payers.Proof of Concept
https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Frankencoin.sol#L194-L197
https://github.com/code-423n4/2023-04-frankencoin/blob/main/contracts/Frankencoin.sol#L223-L229
Tools Used
VSCode and Manual Review
Recommended Mitigation Steps
It is recommended to store the previous
_reservePPM
for each debt position minted in a mapping and check that value against the input parameter_reservePPM
to theFrankencoin.burn()
function, when trying to repay the debt by burningZCHF
amount.