code423n4 commented 1 year ago

Lines of code

https://github.com/Tapioca-DAO/tap-token-audit/blob/59749be5bc2286f0bdbf59d7ddc258ddafd49a9f/contracts/option-airdrop/AirdropBroker.sol#L459

Vulnerability details

Impact

Incorrect eligibleAmount is minted to the user.

Proof of Concept

An eligible user can call the _participatePhase3 function and mint the aToken to them.

function _participatePhase3(
    bytes calldata _data
) internal returns (uint256 oTAPTokenID) {
    uint256 _tokenID = abi.decode(_data, (uint256));

    require(PCNFT.ownerOf(_tokenID) == msg.sender, "adb: Not eligible");
    address tokenIDToAddress = address(uint160(_tokenID));
    require(
        userParticipation[tokenIDToAddress][3] == false,
        "adb: Already participated"
    );
    // Close eligibility
    // To avoid a potential attack vector, we cast token ID to an address instead of using _to,
    // no conflict possible, tokenID goes from 0 ... 714.
    userParticipation[tokenIDToAddress][3] = true;

    uint128 expiry = uint128(lastEpochUpdate + EPOCH_DURATION); // Set expiry to the end of the epoch
    uint256 eligibleAmount = PHASE_3_AMOUNT_PER_USER; -------------->>>> audit find. should be multiplied by 1e18
    uint128 discount = uint128(PHASE_3_DISCOUNT);
    oTAPTokenID = aoTAP.mint(msg.sender, expiry, discount, eligibleAmount);
}

As shown above, the eligibleAmount is incorrectly set.

Note aoTAP has decimal value of 1e18.

Tools Used

Recommended Mitigation Steps

Update the Line as shown below

uint256 eligibleAmount = PHASE_3_AMOUNT_PER_USER * 1e18;

Assessed type

Decimal

c4-pre-sort commented 1 year ago

minhquanym marked the issue as duplicate of #173

c4-judge commented 1 year ago

dmvt marked the issue as satisfactory

code-423n4 / 2023-07-tapioca-findings

AirdropBroker.sol#L442 :` _participatePhase3` - `PHASE_3_AMOUNT_PER_USER` should be multiplied by 1e18 #1664