Malicious shares can't be paused or stopped after creation, so users will continue use them

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L298-L313 https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L114-L127 https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L150-L169 https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L203-L221

Vulnerability details

Impact

In case if share creator is a malefactor he can try to do multiple malicious operations: Pump and Dump attack with price manipulation, artificially increase fees for NFT minting.

Proof of Concept

Both attacks described in my other reports and unfortunately I can't link them, so will provide issue ids.

1. Price manipulation - Title: Market token price for specific share can be manipulated, issue id: I_kwDOKrWS5853MSsR
2. NFT minting fee manipulation - Title: Fee for minting the Market Nft token can be manipulated, issue id: I_kwDOKrWS5853May7

While Market contract has some optional protection for share creation, it wouldn't help for already started shares. https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L298-L313

Tools Used

Manual audit

Recommended Mitigation Steps

Make protection/pause logic for malicious shares to protect users from buy/sell.

Assessed type

Governance

[c4-pre-sort]

minhquanym marked the issue as duplicate of #268

[c4-judge]

MarioPoneder marked the issue as unsatisfactory: Out of scope