Assessment reports>Circuit DAO>High findings>Unverified solution parameters in ,recharge_win, could lead to loss of tokens
Category: Business Logic

Unverified solution parameters in recharge_win could lead to loss of tokens

High Severity
High Impact
Medium Likelihood

Description

A recharge auction can be launched whenever the BYC balance of the treasury drops below the treasury minimum. In a recharge auction, the protocol acquires BYC to refill the treasury by auctioning off CRT. Once the recharge auction has concluded, the winner can mint an amount of CRT as specified in the bid by asserting the corresponding announcement from the auction coin, and the BYC amount bid gets paid to the treasury. The recharge-win operation allows the caller to provide the following solution parameters:

ttl
current_timestamp
treasury_coins
treasury_mod_hash
funding_coin_id
treasury_minimum
target_puzzle_hash

The funding_coin_id is the ID of the issuance coin, which is used to issue CRT coins to the winner of the bid. As the operation could be called by anyone, the callers could provide an incorrect value for funding_coin_id, which is used to send a message to the coin to issue the CRY coin, as shown below:

(list SEND_MESSAGE 0x3f
  (concat
    PROTOCOL_PREFIX
    (sha256tree
      (c STATUTES_STRUCT
        (c target_puzzle_hash winning_crt_bid_amount)
      )
    )
  )
  funding_coin_id
)

The malicious user could thus receive this message in a fake funding coin to spend the recharge-auction coin without reverting the transaction.

Impact

The winner of the bid would not receive the CRT amount they won if a malicious user receives the message in a fake funding coin.

Recommendations

It is important to make sure that the funding coin ID is the expected one, and hence either the funding coin ID could be calculated in the puzzle itself or the recharge-win operation could be allowed to be run only by the winner of the bid.

While calculating the funding coin ID in the puzzle, it is important to make sure that the cat_mod_hash, crt_tail_hash, and the inner_puzzle of that CAT are all validated as the message could be received to invalid coins, if these are invalid.

Remediation

This issue has been acknowledged by Voltage Technologies Ltd., and fixes were implemented in the following commits:

Zellic © 2025Back to top ↑