'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
DexLyn Disclosed Report
Audit report DexLyn Tokenomics Smart Contract Audit Contest Freeze bypass via fungible-store migration
Target
https://github.com/hackenproof-public/tokenomics_contract
Vulnerability Details
https://github.com/hackenproof-public/tokenomics_contract/blob/cc3983b3791b373e3632f9b5bf88bd2e669378af/dexlyn_coin/sources/dxlyn_coin.move#L419 checks coin::is_account_registered<DXLYN>(user) to decide whether to call the legacy CoinStore freeze path. The same guard exists for unfreeze at https://github.com/hackenproof-public/tokenomics_contract/blob/cc3983b3791b373e3632f9b5bf88bd2e669378af/dexlyn_coin/sources/dxlyn_coin.move#L443
In the framework, coin::is_account_registered returns true even after coin::migrate_to_fungible_store has deleted the CoinStore, because it also detects migrated primary fungible stores (build/DexlynTokenomics/sources/dependencies/SupraFramework/coin.move (line 816)).
Post-migration the account no longer has a CoinStore, so the guard still routes into coin::freeze_coin_store, which immediately aborts on borrow_global_mut<CoinStore<_>> because the resource is gone. The unfreeze path fails the same way.
As a result any holder can migrate once and become permanently immune to admin freeze or unfreeze attempts. The admin transactions abort and enforcement tooling is broken.
Any holder can migrate their balance once and make every subsequent admin freeze/unfreeze attempt abort because the code still routes into coin::freeze_coin_store, which no longer exists. There’s no direct value theft, but it permanently disables a core enforcement control and lets an attacker disrupt protocol operations at will.
Recommendation
Update the guard to test exists<CoinStore<DXLYN>>(user) (or similar) before calling coin::freeze_coin_store, and fall back to primary_fungible_store::set_frozen_flag when only the fungible store remains.
Validation steps
diff --git a/dexlyn_coin/tests/dxlyn_coin_test.move b/dexlyn_coin/tests/dxlyn_coin_test.move
--- a/dexlyn_coin/tests/dxlyn_coin_test.move
+++ b/dexlyn_coin/tests/dxlyn_coin_test.move
@@
assert!(coin::is_coin_store_frozen<DXLYN>(alice_addr), 0x1);
}
#[test(dev = @dexlyn_coin, alice = @0x123)]
+#[expected_failure]
+fun test_freeze_token_after_coin_store_migration(dev: &signer, alice: &signer) {
+ setup_test_with_genesis(dev);
+ account::create_account_for_test(address_of(alice));
+
+ let dev_addr = address_of(dev);
+ let alice_addr = address_of(alice);
+
+ let amount = 1000 * DXLYN_DECIMAL;
+ dxlyn_coin::mint(dev, dev_addr, amount);
+
+ let coins = coin::withdraw<DXLYN>(dev, amount);
+ supra_account::deposit_coins(alice_addr, coins);
+
+ coin::migrate_to_fungible_store<DXLYN>(alice);
+
+ // Fails: freeze still dispatches to legacy CoinStore path after migration.
+ dxlyn_coin::freeze_token(dev, alice_addr);
+}
+
+#[test(dev = @dexlyn_coin, alice = @0x123)]
#[expected_failure(abort_code = dxlyn_coin::ERROR_NOT_OWNER, location = dxlyn_coin)]
fun test_freeze_token_non_owner(dev: &signer, alice: &signer) {
setup_test_with_genesis(dev);
account::create_account_for_test(address_of(alice));
dxlyn_coin::freeze_token(alice, address_of(alice));
Attachments
hidden 
Comments on this report are hidden 
Details 
Participants (4) 
