Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No donation required to restructure the table #949

Open
code423n4 opened this issue Apr 19, 2023 · 4 comments
Open

No donation required to restructure the table #949

code423n4 opened this issue Apr 19, 2023 · 4 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-132 grade-b Q-07 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/Equity.sol#L309-L315

Vulnerability details

Impact

The issue is that in function:

https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/Equity.sol#L309-L315

the documentation literally says:

 Example: there was a devastating loss and equity stands at -1'000'000. Most shareholders have lost hopethe
 * Frankencoin system except for a group of small FPS holders who still believes in it and is willing to 
 provide
 * 2'000'000 ZCHF to save it. These brave souls are essentially donating 1'000'000 to the minter reserve and 
 it
 * would be wrong to force them to share the other million with the passive FPS holders. Instead, they will 
 get
 * the possibility to bootstrap the system again owning 100% of all FPS shares.

meaning that the holder should make a donation to actually be able to restructure the table. In this case, any holder that is classified:

https://github.com/code-423n4/2023-04-frankencoin/blob/1022cb106919fba963a89205d3b90bf62543f68f/contracts/Equity.sol#L311

is able to restructure the table without donating any funds and they are in the power to burn anyone's shares, including the frankencoin team shares.

Therefore there is a clear discrepancy between the docs and the code which would enable any classified holder to burn anyone's shares without donating funds.

Proof of Concept

Steps for the attack to happen:

frankencoin equity is below minimum:

   require(zchf.equity() < MINIMUM_EQUITY);

Classified user that has voting power just calls the function restructureCapTable with the address that he wants to burn shares from.

Tools Used

Manual

Recommended Mitigation Steps

Make a require statement that indeed the classified user has to donate x amount of funds depending where the equity is and he will be able to burn y amount of shares.
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Apr 19, 2023
code423n4 added a commit that referenced this issue Apr 19, 2023
@code423n4
0xWeiss issue #949
2964de3
@c4-pre-sort
Copy link

0xA5DF marked the issue as duplicate of #571

@c4-pre-sort
Copy link

0xA5DF marked the issue as duplicate of #132

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels May 17, 2023
@c4-judge
Copy link
Contributor

hansfriese changed the severity to QA (Quality Assurance)

@c4-judge
Copy link
Contributor

hansfriese marked the issue as grade-b

@C4-Staff C4-Staff reopened this May 23, 2023
@C4-Staff C4-Staff added the Q-07 label May 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-132 grade-b Q-07 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@code423n4 @c4-judge @c4-pre-sort @C4-Staff