search

code-423n4 / 2023-11-canto-findings

7 stars 6 forks source link

Not enough check for getPriceAndFee #497

Closed c4-submissions closed 9 months ago

c4-submissions commented 10 months ago

Lines of code

https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/bonding_curve/LinearBondingCurve.sol#L14

Vulnerability details

Impact

Edge cases for getPriceAndFee can cause incorrect price to be returned and in turn cause incorrect tokens to be sent to the user. This can occur in the buy and sell function.

Proof of Concept

https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/bonding_curve/LinearBondingCurve.sol#L14

In the buy function the function getBuyPrice is called through (uint256 price, uint256 fee) = getBuyPrice(_id, _amount);, and this in turn calls the function getPriceAndFee though (price, fee) = IBondingCurve(bondingCurve).getPriceAndFee(shareData[_id].tokenCount + 1, _amount);. In the getPriceAndFee, there is no check to see if the shareCount > _amount and cater for that condition meaning price and fee returns zero.

As we see here https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L153

Zero token is transferred from the msg.sender and the rest of the function goes, making the user receive the NFTs, and state updated with amount thought to be paid and rewards activated, while paying zero tokens for it.

The same happens in the sell function, user only gets rewards and loses NFT.

Tools Used

Manual Review

Recommended Mitigation Steps

Add a check for this condition and ensure that logic is added, either reverting or returning a default price.

Assessed type

Invalid Validation

c4-pre-sort commented 10 months ago

minhquanym marked the issue as insufficient quality report

c4-judge commented 9 months ago

MarioPoneder marked the issue as unsatisfactory: Insufficient proof