search

hats-finance / Circles-0x6ca9ca24d78af44582951825bef9eadcb210e5cf

Circles Protocol contracts
https://aboutcircles.com
GNU Affero General Public License v3.0
0 stars 0 forks source link

Incorrect token amount minted when user wait and mint after register as human. #97

Open hats-bug-reporter[bot] opened 4 days ago

hats-bug-reporter[bot] commented 4 days ago

Github username: -- Twitter username: -- Submission hash (on-chain): 0x9598e977368f01aa667e2d9f81bc5ebf8d5c584f4978158ca1a78924d5987936 Severity: high

Description: Description\

Incorrect amount of token is minted to user.

Attack Scenario\ Describe how the vulnerability can be exploited.

Attachments

  1. Proof of Concept (PoC) File

    function testMintCheck() public {
    // Alice registers in v2
    ITokenV1 tokenAlice = signupInV1(addresses[0]);
    vm.prank(addresses[0]);
    tokenAlice.stop();
    vm.prank(addresses[0]);
    mockHub.registerHuman(address(0), bytes32(0));

    // Bob registers in v2
    ITokenV1 tokenBob = signupInV1(addresses[1]);
    vm.prank(addresses[1]);
    tokenBob.stop();
    vm.prank(addresses[1]);
    mockHub.registerHuman(address(0), bytes32(0));

    console.log("bob balance", mockHub.balanceOf(addresses[0],mockHub.toTokenId(addresses[0])));
    console.log("alice balance", mockHub.balanceOf(addresses[1],mockHub.toTokenId(addresses[1])));

    // move time
    skipTime(40 days); //960 hours
    // Alice can mint in V2
    vm.prank(addresses[0]);
    mockHub.personalMint();
    // Bob can mint in V2
    vm.prank(addresses[1]);
    mockHub.personalMint();

    console.log("bob balance", mockHub.balanceOf(addresses[0],mockHub.toTokenId(addresses[0])));
    console.log("alice balance", mockHub.balanceOf(addresses[1],mockHub.toTokenId(addresses[1])));
    //intentionally reverted to log the balance value.
    assert(1 == 2);
}
    Logs:
bob balance 0
alice balance 0
bob balance 335_499_787_406_064_420_311 (335*e18 approx))
alice balance 335499787406064420311

  2. Revised Code File (Optional)

0xpinky commented 4 days ago

I am checking this further about it. will add more details. From circle document - Each registered human can mint a deterministic amount of their personal currency at a consistent rate of one Circle per hour.

But, the code mint just 335 token for a period of 960 hours.

0xpinky commented 3 days ago

invalid.. the design mints only retroactively upto 14 days.

benjaminbollen commented 2 days ago

Analysis misses to take into account demurrage as documented and coded