'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Hesty Disclosed Report
Audit report Hesty DualDefense AuditUsers' funds will be permanently locked if `cancelProperty` is executed after the threshold is reached
Target
https://github.com/la-bomba-studio/hesty-contract/tree/29596447b9a06d4ad53360d4a15f349ebf9fa0d8
Vulnerability Details
Description:
The cancelProperty function in TokenFactory contract can prevent users from claiming refunds via recoverFundsInvested if the investment threshold is reached before cancellation.
When cancelProperty is called, it modifies the contract state by setting raiseDeadline to 0, approved to false, and deadProperty to true:
function cancelProperty(uint256 id) external onlyAdmin{
@> property[id].raiseDeadline = 0; // Important to allow investors to recover funds
@> property[id].approved = false; // Prevent more investments
@> deadProperty[id] = true;
emit CancelProperty(id);
}
These state changes ensure that:
- Users can no longer purchase tokens for that property.
- The admin cannot restart the raise for the same property, as the
approvePropertyfunction checks fordeadProperty. - The
extendRaiseForPropertyfunction cannot be executed sinceraiseDeadlineis set to0.
This results in a situation where, once a property is canceled, it cannot be reactivated.
Now, as the property is canceled, users/investors should be able to retrieve their investments via recoverFundsInvested function. However, if the investment threshold is reached before cancellation, the following statement prevents users from reclaiming their funds:
@> require(p.raised * p.price < p.threshold, "Threshold reached, cannot recover funds");
This means users are permanently unable to withdraw their investments, leading to funds being indefinitely locked in the contract with no mechanism for retrieval.
This issue can occur in the following scenarios:
-
- A property manager decides to cancel the raise, and the admin calls the
cancelPropertyfunction. - However, before the transaction is executed, additional investments push the total raised amount above the threshold.
- Once
cancelPropertyis executed, the contract state changes, preventing users from claiming refunds viarecoverFundsInvested. - As a result, all invested funds remain permanently locked in the contract with no way to recover them.
- A property manager decides to cancel the raise, and the admin calls the
-
- A malicious actor intentionally buys tokens via the
buyTokenfunction, ensuring that the threshold is reached before the admin cancels the property. - This would trigger the same issue, where
cancelPropertyexecutes after the threshold is met, making it impossible for investors to claim refunds. - Since there are no functions to retrieve the locked funds, they remain permanently stuck in the contract.
- A malicious actor intentionally buys tokens via the
Impact:
- Affected party: All investors in the canceled property raise.
- Loss: Investors permanently lose their funds as they are unable to claim refunds.
- Additional Loss: The admin cannot complete the raise or reapprove the property to unlock funds, and as there are no functions to retrieve the funds, all invested funds are permanently locked in the contract.
Mitigation:
Modify the recoverFundsInvested function to include a deadProperty check, ensuring that if a property is canceled, investors can claim refunds regardless of whether the threshold has been reached.
Validation steps
Attack Scenario:
- A property raise is in progress, and users are investing funds.
- The property manager decides to cancel the raise, and the admin calls
cancelProperty. - Before the transaction executes, additional investments push the total raised amount above the threshold.
- Once
cancelPropertyis executed, the contract state changes. - Investors attempt to claim refunds via
recoverFundsInvested, but the function no longer allows withdrawals due to the threshold being met. - As there are no mechanisms to reverse this state and no functions to retrieve the locked funds, all invested funds are permanently locked in the contract.
Add this test code in TokenFactory.test.js file and run the test:
describe("Users cannot claim refunds", function () {
beforeEach(async function () {
//Not yet initialized so therefore address(0)
expect(await tokenFactory.referralSystemCtr()).to.equal("0x0000000000000000000000000000000000000000");
await tokenFactory.initialize(referral.address, issuance.address)
await hestyAccessControlCtr.connect(addr2).approveUserKYC(propertyManager.address);
await tokenFactory.addWhitelistedToken(token.address);
await tokenFactory.connect(propertyManager).createProperty(1000000, 1000, 1, 10, token.address, token.address, "token", "TKN", hestyAccessControlCtr.address)
expect(await tokenFactory.propertyCounter()).to.equal(1);
await tokenFactory.approveProperty(0, 2937487238472834);
// Approve owner kyc to allow him to buy property token
await hestyAccessControlCtr.connect(addr2).approveUserKYC(owner.address);
await token.approve(tokenFactory.address, 20);
await token.mint(owner.address, 15);
await tokenFactory.buyTokens(owner.address, 0, 2, addr3.address);
})
it("FundsNotClaimable", async function () {
// Property reaches threshold with this
await tokenFactory.buyTokens(owner.address, 0, 10, addr3.address);
// Property is canceled
await tokenFactory.cancelProperty(0);
await ethers.provider.send("evm_mine", [2937487238472844]);
// User cannot get refund
await expect(token.recoverFundsInvested(owner.address, 0)).to.be.revertedWith("Threshold reached, cannot recover funds");
});
})
Attachments
hidden 
Comments on this report are hidden 
Details 
Participants (5) 
