Bug Bounty Report: Cointag Minting and Reward Distribution Issues

[y-azy]

Bug Report: Cointag Minting and Reward Distribution Issue

Summary

This report outlines potential issues related to the Cointag protocol's minting process, specifically focusing on the failure of the buy and burn mechanism and the distribution of ETH rewards to the creator and minter. The findings are based on the analysis of the codebase and the bug bounty program's guidelines.

Potential Issues Identified

1. Minting Process and Reward Distribution

Description: When a user mints a creator's post, the expected behavior is that a portion of the creator rewards is used to buy and burn an ERC20 token, while the remaining ETH is sent to the creator. However, there are scenarios where this process may not execute correctly.

     Code Reference: The `_buyBurn` function in `CointagImpl.sol` handles the buy and burn process. If the swap fails, the entire amount should be sent to the creator, but there may be edge cases where this does not happen as intended.

2. Error Handling in Buy and Burn Process

Description: The current implementation emits events for both successful and failed operations, but there may be cases where the expected events are not emitted, or the balances are not updated correctly.

      Code Reference: The `BuyBurn` event in `ICointag.sol` captures the results of the buy and burn operation. The tests in `Cointag.t.sol` should ensure that these events are emitted with the correct parameters.

3. Test Coverage for Edge Cases

Description: The test cases do cover some failure scenarios, such as burn failures and transfer failures, but additional tests may be needed to ensure that all edge cases are handled properly. ATM, there is no test case specific to this bug scenario mentioned.

       Code Reference: The `testBurnFailure` and `testBurnAndTransferFailure` functions in Cointag.t.sol provide examples of how to mock failures and check the resulting state.

Relevant Code Snippet

Here’s a relevant snippet from CointagImpl.sol to focus and start with:

The _buyBurn function handles the buy and burn process. If the swap fails, the entire amount should be sent to the creator, but there may be edge cases where this does not happen as intended.

function _buyBurn() internal returns (uint256 amountToSendToCreator {
    uint256 amount = address(this).balance;
    uint256 amountToBuyBurn = (amount * _getCointagStorageV1().percentageToBuyBurn) / PERCENTAGE_BASIS;

    // Step 1: Wrap ETH and approve WETH
    weth.deposit{value: amountToBuyBurn}();

    // Step 2: Swap WETH for ERC20
    bytes memory buyFailureError = _swapWETHForERC20(amountToBuyBurn);

    // If swap failed, unwind and return
    if (buyFailureError.length > 0) {
        // transfer failed weth to creator
        IERC20(address(weth)).safeTransfer(_getCointagStorageV1().creatorRewardRecipient, amountToBuyBurn);

        // if swap fails, we want to send the entire amount to the creator reward recipient
        amountToSendToCreator = amount;
        emit BuyBurn(0, 0, amountToBuyBurn, amountToSendToCreator, amount, buyFailureError, "");
    } else {
        // amount remaining is the amount that was not used to buy/burn, that should transfer to the creator reward recipient
        amountToSendToCreator = amount - amountToBuyBurn;

        uint256 amountERC20Received = _getCointagStorageV1().erc20.balanceOf(address(this));

        // Step 3: Burn ERC20
        (amountERC20Burned, burnFailureError) = _tryBurnERC20(amountERC20Received);

        emit BuyBurn({
            amountERC20Received: amountERC20Received,
            amountERC20Burned: amountERC20Burned,
            amountETHSpent: amountToBuyBurn,
            amountETHToCreator: amountToSendToCreator,
            totalETHReceived: amount,
            buyFailureError: buyFailureError,
            burnFailureError: burnFailureError
        });
    }
}

Key Areas

Error Handling

Ensure that if the swap fails, the ETH is still sent to the creator.

Event Emission

Verify that the BuyBurn event is emitted with the correct parameters.

Balance Assertions

In the test cases, ensure that the balances of the creator and minter are checked after the pull function is called.

Impact of Changes

These issues could potentially lead to incorrect reward distributions, impacting both creators and minters. To mitigate these risks, I recommend enhancing test coverage and ensuring robust error handling.

Conclusion

The Cointag protocol's minting and reward distribution mechanisms are critical to its functionality. The identified issues could potentially lead to incorrect distributions of rewards or no rewards at all, impacting both creators and minters (a potentially big issue when billions of users are onboard to Zora). Please enhance the test coverage and ensure robust error handling to mitigate these risks.

Additional Notes

Relevant Cointag Files

CointagImpl.sol - This file contains the core logic for the Cointag, including the minting and reward distribution process.

CointagFactoryImpl.sol - This file manages the creation of Cointag instances.

Cointag.t.sol - This file contains tests for the Cointag functionality.

ExecuteTestCointagTransaction.s.sol - This script executes transactions related to Cointags.

CointagMappings.ts - This file handles events related to Cointag creation in the subgraph.

Potential Issues to Investigate

CointagImpl.sol - Check the _buyBurn function:

  Ensure that the ETH is correctly wrapped and swapped for the ERC20 token.
  Verify that the burn process is correctly handled, especially if the burn fails.
  Ensure that the remaining ETH is sent to the creator reward recipient.

Cointag.t.sol - Review the test cases:

   Look for tests that simulate the minting process and check if the expected events (like BuyBurn) are emitted.
   Ensure that the assertions for the balances of the creator and minter are correct after the minting and burning process.

ExecuteTestCointagTransaction.s.sol - Check the run function:

   Ensure that the transaction correctly deposits ETH and calls the pull function on the Cointag.
   Verify that the expected outcomes (like ETH distribution) are correctly handled.

CointagMappings.ts - Review the handleSetupNewCointag function:

    Ensure that the Cointag is correctly initialized and that the parameters (like creatorRewardRecipient, pool, and percentageToBuyBurn) are set correctly.

Screenshots of the issue

Links

Test Accounts

https://zora.co/collect/base:0x29dd6a5c122cba0a36755d75a61af6f3164ac36c/11?referrer=0xE47AA2353Ba7A94A5e1036adf405C3d8f6570912

https://basescan.org/address/0x29dd6a5c122cba0a36755d75a61af6f3164ac36c

https://basescan.org/address/0x6c7d845f0b226f55c234b362fddf4d3926e6576b

https://basescan.org/address/0x6c7d845f0b226f55c234b362fddf4d3926e6576b

[gilllo]

Hello y-azy - thanks for your report. Please send this report to [email protected] with a more in depth PoC on the issue you've outlined.