Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

isBuyed function returns wrong remainingAmount values or buy function is incorrectly implemeted #31

Open
hats-bug-reporter bot opened this issue Jan 28, 2025 · 2 comments · May be fixed by #126
Open

isBuyed function returns wrong remainingAmount values or buy function is incorrectly implemeted #31

hats-bug-reporter bot opened this issue Jan 28, 2025 · 2 comments · May be fixed by #126
Labels
Lead auditor low low needs-fix

Comments

@hats-bug-reporter
Copy link

Github username: --
Twitter username: --
HATS Profile: HATS Profile

Beneficiary: 0xf8e45a12a45CfBa70a24c00BC3492Ab948f028EE
Submission hash (on-chain): 0x1bfcc9d04f4e28d3b79f09f38a0854908411c0949d9d4e955096ed6e213ad88f
Severity: medium

Description:
Description
The isBuyed function returns an incorrect value for the remaining amount that can be bought by a user. Specifically, the function has hardcoded conditions that are not verified in the buy function. It assumes that when buyCounter[_address] == 1, the remaining amount is always minBuy, and when buyCounter[_address] > 1, the remaining amount is set to 0. However, the buy function does not enforce such checks and allows for an infinite remaining amount when the buyCounter is not checked adequately. This leads to discrepancies between the intended and actual remaining purchase limits, which can allow users to bypass limits and make more purchases than allowed.

Attack Scenario
An attacker can exploit this vulnerability by calling the isBuyed function after a purchase, where the function would incorrectly return an infinite remaining amount for users who have bought once. This could allow them to bypass the constraints imposed in the buy function, especially if they manage to interact with the contract in ways that the function logic does not account for (such as making repeated purchases without the correct checks for buyCounter). The attacker could potentially keep exploiting this flaw, circumventing the intended limits on the purchase amounts.

Attachments

  1. Revised Code
function isBuyed(address _address) external view returns (bool, uint256) {
    bool hasBought = buyCounter[_address] > 0;
    uint256 remainingAmount;
    if (_address == creator) {
        User storage user = userDetails[creator];
        remainingAmount = maxBuyCreator - user.buyAmount;
    } else {
        if (buyCounter[_address] == 0) {
            remainingAmount = maxBuyUser;
        } else if (buyCounter[_address] == 1) {
            remainingAmount = minBuy;  // Should check if this amount is still valid for the user
        } else {
            remainingAmount = 0;
        }
    }
    return (hasBought, remainingAmount);
}

Proposed Fix:
In the isBuyed function, ensure that the remaining purchase amount reflects the actual conditions set by the buy function. Specifically, make sure that remainingAmount is adjusted dynamically based on the actual logic in buy, instead of relying on static hardcoded values for buyCounter.
@PlamenTSV
Copy link
Collaborator

View function returns incorrect value, Low at best since it does not affect the system and it's components, good find none the less

This was referenced Jan 29, 2025
Open
Open
Open
Open
hats-bug-reporter bot added a commit that referenced this issue Feb 3, 2025
@hats-bug-reporter
fixes #31
d737ea9
hats-bug-reporter bot added a commit that referenced this issue Feb 3, 2025
@hats-bug-reporter
fixes #31
b35c94f
@hats-bug-reporter hats-bug-reporter bot linked a pull request Feb 3, 2025 that will close this issue
Open
@DaosisLLC
Copy link
Collaborator

@vishal-develop-web can you please check fixes ?

@DaosisLLC DaosisLLC added the low label Feb 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Lead auditor low low needs-fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Complementary submission for #31 hats-finance/DAOsis-0x8ef21ecb2af12ce9cc0e475eec25f90a9622b4f4
2 participants
@PlamenTSV @DaosisLLC