'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Hesty Disclosed Report
Audit report Hesty DualDefense AuditUsers receives significantly fewer tokens than invested, leading to complete loss of funds
Target
https://github.com/la-bomba-studio/hesty-contract/tree/29596447b9a06d4ad53360d4a15f349ebf9fa0d8
Vulnerability Details
Description:
The incorrect calculation in the getInvestmentTokens function of TokenFactory contract will cause a severe loss for investors, as users receive significantly fewer tokens than they should.
The initialSupply of property tokens is minted in multiples of 10 ** 18 (18 decimals):
// Property Token Supply Issuance
@> _mint(address(tokenManagerContract_), initialSupply_ * 1 ether);
But when users call getInvestmentTokens, their investment is not adjusted accordingly:
@> SafeERC20.safeTransfer(IERC20(p.asset), user, rightForTokens[user][id]);
As a result, users receive tokens equivalent to their invested amount without the necessary multiplication by 10 ** 18. This leads to users receiving a negligible amount of tokens, making it impossible to recover their investment.
Impact:
- Affected party: All investors in the protocol.
- Loss: Investors suffer a 100% loss of their funds, as they receive an insignificant amount of tokens.
Mitigation:
Update the calculation in the getInvestmentTokens function of the TokenFactory contract by multiplying the token amount by 10 ** 18 (the decimals of the property token) to ensure correct token distribution.
-- SafeERC20.safeTransfer(IERC20(p.asset), user, rightForTokens[user][id]);
++ SafeERC20.safeTransfer(IERC20(p.asset), user, rightForTokens[user][id] * 1 ether);
Validation steps
Exploit Scenario:
- A user invests in a property with the goal of purchasing 2 Property tokens using the
buyTokensfunction of theTokenFactorycontract. - After the property raise period ends and the user has paid for 2 Property tokens, they attempt to claim their tokens via the
getInvestmentTokensfunction. - The protocol should issue 2 Property tokens with 18 decimals (
2 * 10 ** 18), but instead, it only issues 2 wei (the smallest unit). - As a result, the user holds an insignificant number of tokens, making it impossible to recover their investment.
Add this code in TokenFactory.test.js file:
describe("Incorrect Amount of Tokens Received", function () {
beforeEach(async function () {
//Not yet initialized so therefore address(0)
expect(await tokenFactory.referralSystemCtr()).to.equal("0x0000000000000000000000000000000000000000");
await tokenFactory.initialize(referral.address, issuance.address)
await hestyAccessControlCtr.connect(addr2).approveUserKYC(propertyManager.address);
await tokenFactory.addWhitelistedToken(token.address);
await tokenFactory.connect(propertyManager).createProperty(1000000, 1000, 4, 1, token.address, token.address, "token", "TKN", hestyAccessControlCtr.address)
expect(await tokenFactory.propertyCounter()).to.equal(1);
await tokenFactory.approveProperty(0, 2937487238472834);
// Approve owner kyc to allow him to buy property token
await hestyAccessControlCtr.connect(addr2).approveUserKYC(owner.address);
await token.approve(tokenFactory.address, 9);
await token.mint(owner.address, 8);
// User attempts to buy 2 Property Tokens
await tokenFactory.buyTokens(owner.address, 0, 2, addr3.address);
})
it("IncorrectTokens", async function () {
await ethers.provider.send("evm_mine", [2937487238472844]);
await tokenFactory.completeRaise(0);
await tokenFactory.getInvestmentTokens(owner.address, 0);
[PropertyToken, RevenueAddress] = await tokenFactory.getPropertyInfo(0);
// User only get 2 tokens instead of 2 x 10 ** 18 tokens
expect(await PropertyToken.balanceof(owner.address)).to.equal(2);
});
})
Attachments
hidden 
Comments on this report are hidden 
Details 
Participants (4) 
