code-423n4 / 2024-06-panoptic-findings

1 stars 0 forks source link

There is couple of issues with the privius code. #49

Closed howlbot-integration[bot] closed 1 month ago

howlbot-integration[bot] commented 1 month ago

Lines of code

https://github.com/code-423n4/2024-06-panoptic/blob/153f0d82440b7e63075d55b0659706531431145f/contracts/tokens/ERC20Minimal.sol#L35 https://github.com/code-423n4/2024-06-panoptic/blob/153f0d82440b7e63075d55b0659706531431145f/contracts/tokens/ERC20Minimal.sol#L122

Vulnerability details

Impact

  1. Corrected the syntax for mappings.

  2. Fixed the unchecked block in the _mint function to increment totalSupply first and then update balanceOf[to].

  3. Ensured the increment of totalSupply is within the unchecked block in _mint.

Proof of Concept

1.Mapping Syntax: //Solidity does not support the mapping syntax used in the code. The correct syntax for mappings should be mapping(address => uint256) instead of mapping(address account => uint256) and mapping(address => mapping(address => uint256)) instead of mapping(address owner => mapping(address spender => uint256)).

  1. Unchecked Block in _mint Function: //The unchecked block in _mint is misplaced. The increment of totalSupply should be within the unchecked block since that's the value that might overflow, although totalSupply should be incremented before updating the balanceOf[to].

  2. Total Supply Overflow Check: //There is no check to ensure totalSupply doesn't overflow. Although Solidity 0.8.0 and above has built-in overflow checks, the usage of unchecked blocks bypasses these checks. Ensure the increment is handled properly within the unchecked block if necessary.

Tools Used

  1. Opinions from colleagues.
  2. ChatGPT.
  3. Knowledge

Recommended Mitigation Steps

To ensure that your Solidity contract is secure and follows best practices, consider the following mitigation steps:

Correct Mapping Syntax:

Ensure that the mapping syntax adheres to Solidity's standards. Use mapping(address => uint256) for single-level mappings and mapping(address => mapping(address => uint256)) for nested mappings. Proper Unchecked Block Usage:

Use the unchecked block only where necessary and ensure that critical operations like updating totalSupply and balanceOf are done correctly to prevent overflow or underflow issues. Implement Overflow/Underflow Checks:

Although Solidity 0.8.x has built-in overflow/underflow checks, ensure that unchecked blocks are used judiciously and only where overflow/underflow is not a concern or is intentionally bypassed for specific reasons. Balance and Total Supply Management:

Always ensure that the total supply and balances are updated in a consistent manner. Any minting or burning of tokens should be reflected accurately in the totalSupply and individual balanceOf mappings. Follow Standard ERC-20 Practices:

Adhere to the ERC-20 token standard practices for functions like approve, transfer, and transferFrom. This ensures compatibility with other contracts and tools in the Ethereum ecosystem. Event Emission:

Ensure that all state-changing operations emit the appropriate events. This provides transparency and traceability for actions performed on the blockchain. Security Audits:

Regularly perform security audits of the contract. Use tools like MythX, Slither, and Oyente to analyze the contract for potential vulnerabilities. Consider third-party audits from reputable firms. Thorough Testing:

Implement comprehensive unit tests for the contract. Use frameworks like Truffle, Hardhat, or Foundry to test all possible scenarios, including edge cases. Ensure that tests cover not only standard functionality but also potential attack vectors such as reentrancy, overflow, underflow, and other common vulnerabilities.

Assessed type

ERC20

c4-judge commented 1 month ago

Picodes marked the issue as unsatisfactory: Invalid