'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Hesty Disclosed Report
Audit report Hesty DualDefense AuditIncorrect amounts of property tokens are distributed
Company
Created date
Mar 03 2025
Target
https://github.com/la-bomba-studio/hesty-contract/tree/29596447b9a06d4ad53360d4a15f349ebf9fa0d8
Vulnerability Details
There is an amount scale mismatch between PropertyToken and TokenFactory contracts.
When creating property tokens, their initial supply is multiplied by 10^18 before minting to the manager contract (initialSupply_ * 1 ether):
constructor(
address tokenManagerContract_,
uint256 initialSupply_,
string memory name_,
string memory symbol_,
address rewardAsset_,
address ctrHestyControl_,
address owner
) ERC20(name_, symbol_) AccessControlDefaultAdminRules(
3 days,
owner // Explicit initial `DEFAULT_ADMIN_ROLE` holder
){
// Supplies higher than TEN_POWER_FIFTEEN ether will result in precision lost
require(initialSupply_ < TEN_POWER_FIFTEEN, "Precision lost");
// Property Token Supply Issuance
_mint(address(tokenManagerContract_), initialSupply_ * 1 ether);
rewardAsset = IERC20(rewardAsset_);
ctrHestyControl = IHestyAccessControl(ctrHestyControl_);
}
However, the manager contract that hold tokens, that is TokenFactory does not know this scale, it stores the unscaled amount:
address newAsset = IIssuance(ctrHestyIssuance).createPropertyToken(
amount,
address(revenueToken),
name,
symbol,
admin,
ctrHestyControl.owner() );
property[propertyCounter++] = PropertyInfo( tokenPrice,
amount,
threshold,
0,
0,
false,
false,
false,
msg.sender,
msg.sender,
IERC20(paymentToken),
newAsset,
IERC20(revenueToken));
This means that TokenFactory thinks and distributes X amount while it actually has X^18 tokens.
After the sale completes, users can claim only pennies and the majority (>99.9%) of property tokens will forever reside in the token factory contract.
buyTokens credits user amount which should not be above p.amountToSell:
...
require(p.raised + amount <= p.amountToSell, "Too much raised");
...
rightForTokens[onBehalfOf][id] += amount;
So dividends are lost because once distributed, users will practically get nothing because of the incorrect their balance and total supply ratio:
dividendPerToken += amount * MULTIPLIER / super.totalSupply();
uint256 amount = ( (dividendPerToken - xDividendPerToken[account]) * balanceOf(account) / MULTIPLIER);
Validation steps
- Property is created with
1e6 ether(automatically scaled by10^18) total supply and a price of100; - User can purchase up to
1e6 / 100property tokens; - Sale completes and user gets all tokens;
- The majority of supply stays in the factory (
1e6 ether - 1e6 / 100).
I wrote a Foundry test case to showcase this vulnerability:
// SPDX-License-Identifier: UNLICENCED
pragma solidity ^0.8.19;
import "../contracts/TokenFactory.sol";
import "@openzeppelin/contracts/token/ERC20/ERC20.sol";
import "contracts/HestyAccessControl.sol";
import "contracts/HestyAssetIssuance.sol";
import "contracts/HestyRouter.sol";
import "contracts/Referral/ReferralSystem.sol";
import "contracts/TokenFactory.sol";
import {Test} from "forge-std/Test.sol";
contract MyERC20 is ERC20 {
constructor(string memory name_, string memory symbol_) ERC20(name_, symbol_) {}
}
contract MyTest is Test {
HestyAccessControl public hestyAccessControl;
TokenFactory public tokenFactory;
MyERC20 public eurc;
MyERC20 public usdc;
HestyAssetIssuance public issuanceContract;
ReferralSystem public referralSystem;
HestyRouter public hestyRouter;
uint256 internal testPropertyId;
bytes32 public constant KYC_MANAGER = keccak256("KYC_MANAGER");
function setUp() public {
hestyAccessControl = new HestyAccessControl();
tokenFactory = new TokenFactory(
300,
100,
0x168090283962c5129A2CBc91E099369297f32437,
1,
address(hestyAccessControl)
);
eurc = new MyERC20(
"Euro Circle",
"EURC"
);
usdc = new MyERC20(
"Dollar",
"USDC"
);
referralSystem = new ReferralSystem(
address(eurc),
address(hestyAccessControl),
address(tokenFactory)
);
issuanceContract = new HestyAssetIssuance(
address(tokenFactory)
);
hestyRouter = new HestyRouter(
address(tokenFactory),
address(hestyAccessControl)
);
tokenFactory.initialize(
address(referralSystem),
address(issuanceContract)
);
// Create test property
hestyAccessControl.grantRole(KYC_MANAGER, address(this));
hestyAccessControl.approveKYCOnly(address(this));
tokenFactory.addWhitelistedToken(address(eurc));
tokenFactory.addWhitelistedToken(address(usdc));
testPropertyId = tokenFactory.createProperty(
1e6,
1000,
100,
0,
address(usdc),
address(eurc),
"Test Property",
"TP",
address(hestyAccessControl)
);
tokenFactory.approveProperty(testPropertyId, block.timestamp + 1 weeks);
}
function test_IncorrectDistribution()
public
virtual
{
address userA = address(1);
deal(address(usdc), userA, 1 ether);
hestyAccessControl.approveKYCOnly(userA);
(
/*uint256 price*/,
uint256 amountToSell,
/*uint256 threshold*/,
/*uint256 raised*/,
/*uint256 raiseDeadline*/,
/*bool isCompleted*/,
/*bool approved*/,
/*bool extended*/,
/*address owner*/,
/*address ownerExchAddr*/,
/*address paymentToken*/,
address asset,
/*address revenueToken*/
) = tokenFactory.property(0);
ERC20 propertyToken = ERC20(asset);
assertEq(propertyToken.balanceOf(address(tokenFactory)), 1e6 ether);
assertEq(amountToSell, 1e6);
vm.startPrank(userA);
usdc.approve(address(tokenFactory), usdc.balanceOf(userA));
vm.expectRevert(); // require(p.raised + amount <= p.amountToSell, "Too much raised");
tokenFactory.buyTokens(userA, testPropertyId, 1 ether, address(0));
tokenFactory.buyTokens(userA, testPropertyId, 1e6 / 100, address(0));
vm.stopPrank();
tokenFactory.completeRaise(testPropertyId);
tokenFactory.getInvestmentTokens(userA, testPropertyId);
assertEq(propertyToken.balanceOf(address(userA)), 1e6 / 100);
assertEq(propertyToken.balanceOf(address(tokenFactory)), 1e6 ether - 1e6 / 100);
}
}
Attachments
hidden CommentsReport History
Comments on this report are hidden 
Details Statedisclosed
Severity Critical
Bounty$700
Visibilitypartially
VulnerabilityOther
Participants (3) 
