c4-submissions commented 10 months ago

Lines of code

https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/bonding_curve/LinearBondingCurve.sol#L14-L25

Vulnerability details

Impact

An attacker could call getPriceAndFee() multiple times concurrently, read intermediate state, and craft calls to exploit any assumptions made between calculations. This could undermine the intended bonding curve pricing logic.

Proof of Concept

getPriceAndFee() loops through share amounts calculating cumulative prices and fees without enforced atomicity.

    function getPriceAndFee(uint256 shareCount, uint256 amount)
        external
        view
        override
        returns (uint256 price, uint256 fee)
    {
        for (uint256 i = shareCount; i < shareCount + amount; i++) {
            uint256 tokenPrice = priceIncrease * i;
            price += tokenPrice;
            fee += (getFee(i) * tokenPrice) / 1e18;
        }
    }

An attacker could:

Call getPriceAndFee() concurrently from another contract
Read price/fee values after some but not all iterations
Craft secondary calls dependent on observed intermediate state

For example, incrementing the amount between calls to deduce pricing formula.

Tools Used

Manual Review

Recommended Mitigation Steps

Implement reentrancy guard modifier like nonReentrant

Assessed type

Reentrancy

c4-pre-sort commented 10 months ago

minhquanym marked the issue as insufficient quality report

minhquanym commented 10 months ago

Invalid

c4-judge commented 9 months ago

MarioPoneder marked the issue as unsatisfactory: Insufficient proof

code-423n4 / 2023-11-canto-findings

The getPriceAndFee() function performs calculations without implementing reentrancy protection. #488