search

hats-finance / Convergence-Finance---IBO-0x0e410e7af8e70fc5bffcdbfbdf1673ee7b3d0777

IBO, Vesting & Bond mecanism repo prepared for Hat finance audit competition
0 stars 0 forks source link

Centralization risk: Owner able to maliciously affect bonds prices #44

Open hats-bug-reporter[bot] opened 1 year ago

hats-bug-reporter[bot] commented 1 year ago

Github username: @goheesheng Submission hash (on-chain): 0x446cb46b124596ec6673fcbed77a2bd521e243ed528d34555d24b30885cfcb7e Severity: high

Description: Description\ The owner is able to falsely inflate prices and crash the protocol.

Attack Scenario\ The hacked wallet is able to create multiple bonds. It can inflate the price and affect the price of the tokens or vice versa. The calculation of the bonds, will thus be affected. Attachments

  1. Proof of Concept (PoC) File

    function createBond(BondParams calldata bondParams) external onlyOwner {
    bondsParams[nextIdBond++] = bondParams;
}

/**
 *  @notice Set the id of the curve related to the bond, 0 for square root, 1 for the logarithm  and 2 for square and 3 linear
 *  @param bondId uint256
 *  @param newComposedFunction uint8
 */
function setComposedFunction(uint256 bondId, uint8 newComposedFunction) external onlyOwner {
    require(newComposedFunction < 4, "INVALID_COMPOSED_FUNCTION");
    bondsParams[bondId].composedFunction = newComposedFunction;
}
  2. Mitigation\

Do create a Role-Based Access Control system if possible.

Without significant redesign, it is not possible to avoid the admin being able to rug-pull the protocol.

As a result, the recommendation is to set all admin functions behind either a timelocked DAO or at least a timelocked multisig contract.

walk-on-me commented 1 year ago

Hello, Thanks a lot for your attention.

This risk is assumed. It's not in our plan to rug regarding the lawsuit that'd follow after. Also there is a protection for user on the deposit function in IBO which is the amountOutMin in CVG token. We have so to consider this issue as Invalid.