search

code-423n4 / 2023-11-canto-findings

7 stars 6 forks source link

Implementing emergency circuit breakers in Market.sol #189

Closed c4-submissions closed 9 months ago

c4-submissions commented 9 months ago

Lines of code

https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L150 https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L174 https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L203 https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L226

Vulnerability details

Impact

Implementing emergency protocols such as circuit breakers or pause functions in your smart contracts is an essential safeguard. These mechanisms can be crucial in preventing harm to the system and its users in case of detected anomalies, attacks, or critical bugs. Below, I outline a conceptual approach to add these features to the Market contract:

Proof of Concept

Use OpenZeppelin's Pausable contract to add pause functionality. This allows pausing and unpausing of critical functions like buy, sell, mintNFT, and burnNFT.

  1. Circuit Breaker Implement a circuit breaker that can be triggered under certain conditions (like extreme price volatility or suspicious activity). The circuit breaker can either partially or fully halt contract operations. Sample Implementation in Solidity: Here's a high-level example of how these mechanisms might be integrated into the Market contract. Note that this is a simplified representation for demonstration purposes:

// SPDX-License-Identifier: GPL-3.0-only pragma solidity 0.8.19;

import "@openzeppelin/contracts/security/Pausable.sol"; import "@openzeppelin/contracts/access/Ownable2Step.sol"; import "@openzeppelin/contracts/token/ERC1155/ERC1155.sol"; // ... other imports ...

contract Market is ERC1155, Ownable2Step, Pausable { // ... existing code ...

// Pause and Unpause functions
function pause() public onlyOwner {
    _pause();
}

function unpause() public onlyOwner {
    _unpause();
}

// Override functions that should be paused
function buy(uint256 _id, uint256 _amount) public whenNotPaused override {
    // ... buy logic ...
}

function sell(uint256 _id, uint256 _amount) public whenNotPaused override {
    // ... sell logic ...
}

function mintNFT(uint256 _id, uint256 _amount) public whenNotPaused override {
    // ... mintNFT logic ...
}

function burnNFT(uint256 _id, uint256 _amount) public whenNotPaused override {
    // ... burnNFT logic ...
}

// ... other functions ...

}

Tools Used

VS code

Recommended Mitigation Steps

Consider adding Pause Functionality Key Considerations: Access Control: Ensure that only authorized entities (like contract owners or a multi-sig wallet) can trigger the pause function. Transparency and Communication: Users should be informed about the existence of these emergency protocols and under what conditions they may be activated. Testing and Monitoring: Test the pause functionality thoroughly in a test environment. Monitor the contract's activity to determine if and when to trigger the circuit breaker. Audit and Review: Have the implementation audited by professionals, as adding such controls can introduce new complexities to the contract. Implementing these emergency protocols provides a critical safety mechanism to protect both the users and the system from unforeseen issues, ensuring greater security and resilience of your DeFi platform.

Assessed type

Access Control

c4-pre-sort commented 9 months ago

minhquanym marked the issue as duplicate of #268

c4-judge commented 9 months ago

MarioPoneder marked the issue as unsatisfactory: Out of scope