search

hats-finance / Circles-0x6ca9ca24d78af44582951825bef9eadcb210e5cf

Circles Protocol contracts
https://aboutcircles.com
GNU Affero General Public License v3.0
0 stars 0 forks source link

attacker can reset normal users claimable Circle tokens to zero #107

Open hats-bug-reporter[bot] opened 1 month ago

hats-bug-reporter[bot] commented 1 month ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0x46275bc3271effce3a562559ad93bf742205104921807ff52f75ea876402167d Severity: medium

Description: Description\ attacker can exploit the calculateIssuanceWithCheck() function and reset circle mint amount of user to ZERO by input a chosen user address to update the user's lastMintTime to block.timestamp.

if (mintTime.mintV1Status != _mintV1Status) {
            mintTime.mintV1Status = _mintV1Status;
            mintTime.lastMintTime = uint96(block.timestamp);
        }

This issue arises when a user stops the V1 token after registering in V2, as this changes the V1 status. The calculateIssuanceWithCheck() function will reset the user's lastMintTime to block.timestamp.

Since the calculateIssuanceWithCheck() function lacks access control, anyone can reset any user’s lastMintTime to block.timestamp.

As a result, attacker could frontrun the victim's personalMint() function transaction, then call the calculateIssuanceWithCheck() function to reset the victim claimable Circle tokens to zero.

**Impact\ attacker can reset another user's claimable Circle tokens to zero.

Recommendation\ consider adding access control to calculateIssuanceWithCheck() function.

benjaminbollen commented 1 month ago

only user themselves can change the v1 status, then anyone can update v2 state accordingly. Invalid issue