'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Hesty Disclosed Report
Audit report Hesty DualDefense AuditUsers will lose extra fees paid during investment due to missing refund logic
Target
https://github.com/la-bomba-studio/hesty-contract/tree/29596447b9a06d4ad53360d4a15f349ebf9fa0d8
Vulnerability Details
Description:
The recoverFundsInvested function in TokenFactory contract do not refund the extra fees that users pay when purchasing tokens:
@> uint256 amount = userInvested[user][id];
userInvested[user][id] = 0;
rightForTokens[user][id] = 0;
@> SafeERC20.safeTransfer(p.paymentToken, user, amount);
Here is the amount investors pay in total to buy tokens via buyTokens function:
// Calculate the investment fee and then get the total investment cost
uint256 fee = boughtTokensPrice * platformFeeBasisPoints / BASIS_POINTS;
@> uint256 total = boughtTokensPrice + fee;
// Charge investment cost from user
@> SafeERC20.safeTransferFrom(p.paymentToken,msg.sender, address(this), total);
As a result, when a user requests a refund or when a property is canceled, only the principal investment is returned, while the extra fees remain stuck in the contract. There is no function to retrieve these fees, leading to an irreversible loss of funds for users. Since fees can be as high as 30% of the investment amount, investors stand to lose a significant portion of their funds due to this vulnerability.
Impact:
- Affected party: All investors who request refunds or experience property cancellations.
- Loss: Users lose up to 23% of their investment due to unrefunded fees, leading to significant financial losses.
- Additional impact: The contract accumulates locked funds over time, making them inaccessible.
Mitigation:
Modify the refund logic in the recoverFundsInvested function to ensure that users receive their total refunded investment.
Validation steps
Exploit Scenario:
- A user invests in a property and pays an additional fee as part of the token purchase.
- Later, the user requests a refund via
recoverFundsInvestedor the property gets canceled viacancelProperty. - The user receives only the principal investment amount, while the extra fees remain locked in the contract.
- Since there is no mechanism to recover these fees, users permanently lose this amount.
Add this code in TokenFactory.test.js file and run the test:
describe("Fees not refunded", function () {
beforeEach(async function () {
//Not yet initialized so therefore address(0)
expect(await tokenFactory.referralSystemCtr()).to.equal("0x0000000000000000000000000000000000000000");
await tokenFactory.initialize(referral.address, issuance.address)
await hestyAccessControlCtr.connect(addr2).approveUserKYC(propertyManager.address);
await tokenFactory.addWhitelistedToken(token.address);
await tokenFactory.connect(propertyManager).createProperty(1000000, 1000, 1000, 100000, token.address, token.address, "token", "TKN", hestyAccessControlCtr.address)
expect(await tokenFactory.propertyCounter()).to.equal(1);
await tokenFactory.approveProperty(0, 2937487238472834);
// Approve owner kyc to allow him to buy property token
await hestyAccessControlCtr.connect(addr2).approveUserKYC(owner.address);
await token.approve(tokenFactory.address, 2000);
await token.mint(owner.address, 1050);
// User buy 1 Property Tokens with boughtTokensPrice = 1000
// Fees = 30; Total Price = 1030
await tokenFactory.buyTokens(owner.address, 0, 1, addr3.address);
})
it("FeesNotRefunded", async function () {
await ethers.provider.send("evm_mine", [2937487238472844]);
await tokenFactory.recoverFundsInvested(owner.address, 0);
// User only get 1000 back as compared to 1030
expect(await token.balanceof(owner.address)).to.equal(1020);
});
})
Attachments
hidden 
Comments on this report are hidden 
Details 
Participants (5) 
