In case if share creator is a malefactor he can try to do multiple malicious operations: Pump and Dump attack with price manipulation, artificially increase fees for NFT minting.
Proof of Concept
Both attacks described in my other reports and unfortunately I can't link them, so will provide issue ids.
Price manipulation - Title: Market token price for specific share can be manipulated, issue id: I_kwDOKrWS5853MSsR
NFT minting fee manipulation - Title: Fee for minting the Market Nft token can be manipulated, issue id: I_kwDOKrWS5853May7
Lines of code
https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L298-L313 https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L114-L127 https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L150-L169 https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L203-L221
Vulnerability details
Impact
In case if share creator is a malefactor he can try to do multiple malicious operations: Pump and Dump attack with price manipulation, artificially increase fees for NFT minting.
Proof of Concept
Both attacks described in my other reports and unfortunately I can't link them, so will provide issue ids.
While Market contract has some optional protection for share creation, it wouldn't help for already started shares. https://github.com/code-423n4/2023-11-canto/blob/main/1155tech-contracts/src/Market.sol#L298-L313
Tools Used
Manual audit
Recommended Mitigation Steps
Make protection/pause logic for malicious shares to protect users from buy/sell.
Assessed type
Governance