Edge cases for getPriceAndFee can cause incorrect price to be returned and in turn cause incorrect tokens to be sent to the user. This can occur in the buy and sell function.
In the buy function the function getBuyPrice is called through (uint256 price, uint256 fee) = getBuyPrice(_id, _amount);, and this in turn calls the function getPriceAndFee though (price, fee) = IBondingCurve(bondingCurve).getPriceAndFee(shareData[_id].tokenCount + 1, _amount);. In the getPriceAndFee, there is no check to see if the shareCount > _amount and cater for that condition meaning price and fee returns zero.
Zero token is transferred from the msg.sender and the rest of the function goes, making the user receive the NFTs, and state updated with amount thought to be paid and rewards activated, while paying zero tokens for it.
The same happens in the sell function, user only gets rewards and loses NFT.
Tools Used
Manual Review
Recommended Mitigation Steps
Add a check for this condition and ensure that logic is added, either reverting or returning a default price.
Lines of code
https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/bonding_curve/LinearBondingCurve.sol#L14
Vulnerability details
Impact
Edge cases for getPriceAndFee can cause incorrect price to be returned and in turn cause incorrect tokens to be sent to the user. This can occur in the buy and sell function.
Proof of Concept
https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/bonding_curve/LinearBondingCurve.sol#L14
In the buy function the function getBuyPrice is called through
(uint256 price, uint256 fee) = getBuyPrice(_id, _amount);
, and this in turn calls the function getPriceAndFee though(price, fee) = IBondingCurve(bondingCurve).getPriceAndFee(shareData[_id].tokenCount + 1, _amount);
. In the getPriceAndFee, there is no check to see if theshareCount
>_amount
and cater for that condition meaning price and fee returns zero.As we see here https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L153
Zero token is transferred from the
msg.sender
and the rest of the function goes, making the user receive the NFTs, and state updated with amount thought to be paid and rewards activated, while paying zero tokens for it.The same happens in the
sell
function, user only gets rewards and loses NFT.Tools Used
Manual Review
Recommended Mitigation Steps
Add a check for this condition and ensure that logic is added, either reverting or returning a default price.
Assessed type
Invalid Validation