'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Hesty Disclosed Report
Audit report Hesty DualDefense AuditPermanent Fund Lock Due to State Transition Flaw in TokenFactory
Target
https://github.com/la-bomba-studio/hesty-contract/tree/29596447b9a06d4ad53360d4a15f349ebf9fa0d8
Vulnerability Details
Brief
The TokenFactory contract exposes a flawed state transition handling between its cancelProperty and completeRaise functions, creating a condition where user investments become permanently locked if a property is canceled after meeting its threshold but before a successful raise completion. Because the threshold check in recoverFundsInvested disallows refunds once the threshold is met, and because cancellation sets approved = false, the contract ends up in a dead state. No one can complete the raise or recover funds, effectively trapping user assets in the contract.
Details
The problem arises from the interplay between three functions in the TokenFactory:
1- cancelProperty:
Sets raiseDeadline = 0, approved = false, and deadProperty[id] = true.
Code snippet:
function cancelProperty(uint256 id) external onlyAdmin {
property[id].raiseDeadline = 0;
property[id].approved = false;
deadProperty[id] = true;
emit CancelProperty(id);
}
2- completeRaise:
Requires property[id].approved == true and checks that p.raised * p.price ≥ p.threshold. Once canceled, property[id].approved = false, blocking completion.
Code snippet:
function completeRaise(uint256 id) external onlyAdmin {
PropertyInfo storage p = property[id];
require(p.approved && !p.isCompleted, "Canceled or Already Completed");
require(p.raised * p.price >= property[id].threshold, "Threshold not met");
property[id].isCompleted = true;
// Transfer logic ...
}
3- recoverFundsInvested:
Checks (!p.isCompleted) and (p.raiseDeadline < block.timestamp) and (p.raised * p.price < p.threshold). If a property’s threshold is already met, this path disallows refunds.
Code snippet:
function recoverFundsInvested(address user, uint256 id)
external nonReentrant whenNotAllPaused {
PropertyInfo storage p = property[id];
require(p.raiseDeadline < block.timestamp && !p.isCompleted, "Time not valid");
require(p.raised * p.price < p.threshold, "Threshold reached, cannot recover funds");
// ... Recovery logic ...
}
Sequence of Failure:
- A property reaches its funding threshold but has not yet had
completeRaisecalled. - An admin calls
cancelProperty, which zeroes out theraiseDeadlineand setsapproved = false. - Because approved is now false,
completeRaisecannot be called to finalize or distribute funds. recoverFundsInvestedremains blocked becausep.raised * p.price ≥ p.threshold.- As a result, user investments remain in limbo, with no further mechanism to recover or transfer them.
Impact
This flaw critically locks user capital by banning both recovery (due to meeting the threshold) and proper completion (due to canceled approval). Once triggered, neither the contract owner nor the users have any avenue to withdraw or redistribute those funds, resulting in a permanent fund lockup.
Validation steps
WORKING POC ATTACHED BELOW.
Change the file type from ".txt" to ".js" and run it inside the project with npx hardhat test test/Vulnerabilities/TokenFactoryLockFunds.test.js
Here are its logs::
=== Starting Vulnerability Demonstration ===
1. Property Created and Approved:
- Property ID: 0
- Total Tokens: 100
- Token Price: 10.0 ETH
- Threshold: 500.0 ETH
- Initial Raised: 0.0 ETH
2. Investment Details:
- Tokens to Buy: 60
- Price per Token: 10.0 ETH
- Base Investment: 600.0 ETH
- Platform Fee (3%): 18.0 ETH
- Listing Fee (10%): 60.0 ETH
- Investor Initial Balance: 1000.0 ETH
3. Post-Investment State:
- Total Raised: 600.0 ETH
- Threshold Required: 500.0 ETH
- Threshold Met: Yes
4. Property Canceled:
- Property Approved: false
- Raise Deadline: 0
5. Attempting to Complete Raise (Expected to Fail)
✓ Raise completion failed as expected
6. Attempting to Recover Funds (Expected to Fail)
✓ Fund recovery failed as expected
7. Final Balances:
- Investor's Initial Balance: 1000.0 ETH
- Investor's Current Balance: 382.0 ETH
- Amount Locked in Contract: 618.0 ETH
- Total Investor Loss: 618.0 ETH
=== Vulnerability Successfully Demonstrated ===
Funds are permanently locked in the contract with no way to recover them.
✔ Should demonstrate funds lock when canceling after threshold is met (56ms)
1 passing (193ms)
Attachments
hidden 
Comments on this report are hidden 
Details 
Participants (5) 
