search

code-423n4 / 2023-04-frankencoin-findings

5 stars 4 forks source link

Frankencoin : do not take use the `reservePPM` as function argument. Malicious user can use this value to arbitrarily change the minterReserveE6 #981

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/Frankencoin.sol#L194-L197

Vulnerability details

Impact

Minter can use large reservePPM value to arbitrarily change the reservePPM

Proof of Concept

function burn(uint256 amount, uint32 reservePPM) external override minterOnly {
  _burn(msg.sender, amount);
  minterReserveE6 -= amount * reservePPM;

}

The function takes the reservePPM as an arugument and use to reduce the minterReserveE6

Tools Used

Manual review

Recommended Mitigation Steps

Use the reservePPM from the postion creation value.

c4-pre-sort commented 1 year ago

0xA5DF marked the issue as low quality report

0xA5DF commented 1 year ago

The burned reserve is the same amount that was 'donated' to reserve by the minter during minting

c4-judge commented 1 year ago

hansfriese changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

hansfriese marked the issue as grade-b

c4-judge commented 1 year ago

hansfriese marked the issue as selected for report

c4-judge commented 1 year ago

hansfriese marked the issue as not selected for report