Company Simulator
First Flight #51
Beginner FriendlyDeFi
100 EXP
View all submissions
Previous Next
Submission Details
Impact: high
Likelihood: high

Company Simulator — Centralization and Logic Vulnerabilities

Author Revealed upon completion

  • Auditor: Elimane NDOYE
    Organization: Global Business Intelligence Consulting
    Contest: CodeHawks / First Flight #51

    Summary

    The Company Simulator smart contracts contain a centralization flaw and a logic error in the share-pricing mechanism.
    These vulnerabilities allow a single owner to manipulate company assets, mint shares at no cost, and mislead investors about financial stability.

    Description

    Key financial and operational functions (produce(), increase_share_cap(), fund_investor()) are restricted to the OWNER.
    Additionally, the share-price calculation can return zero when net_worth < issued_shares, effectively allowing infinite minting of shares.
    Together, these weaknesses compromise both security and trust.

    Risk

    • Type: Centralization / Logic / Access Control

    • Severity: Critical

    • Impact:

      • Owner or attacker can mint infinite shares for near-zero cost.

      • Company funds can be drained.

      • False reputation metrics can mislead new investors.

    Proof of Concept (PoC)

    CODE (PYTHON):

    # PoC — reproduces zero-share-price bug
    def poc_zero_price():
    net_worth = 1
    issued_shares = 1000
    share_price = net_worth // max(issued_shares, 1)
    assert share_price == 0
    print("OK: share_price =", share_price)

    Explanation:

    • Integer division (1 // 1000 = 0) results in share_price = 0.

    • With zero price, any user can mint shares essentially for free.

    • This enables a complete drain of funds by repeatedly calling fund_investor().


    Recommended Mitigation

    CODE (VYPER):

    # Fix: safe non-zero share price & decentralized control
    share_price: uint256 = max(net_worth, 1) / max(self.issued_shares, 1)
    assert share_price > 0, "share_price cannot be zero"
    @external
    def produce_items():
    # DAO-controlled production rights
    assert self.has_role(msg.sender, "PRODUCTION_MANAGER"), "Unauthorized"
    # production logic ...
    @view
    def test_safe_price() -> bool:
    # Functional verification — ensures price never zero
    return (max(net_worth, 1) / max(self.issued_shares, 1)) > 0

    EXPLANATION:

      • Mathematical Safety: max() calls eliminate all zero-division and zero-price cases.

      • Runtime Enforcement: assert share_price > 0 blocks any invalid state before execution.

      • Functional Verification: test_safe_price() confirms share price remains ≥ 1 wei in all scenarios.

      • Governance Hardening: replaces owner-only with DAO/multisig roles to prevent rug-pulls.

      • Economic Soundness: new formula ties share issuance to real net worth, maintaining fairness.

      • Performance: adds negligible gas overhead; safe for mainnet deployment.

Impact

Complete loss of investor funds (Critical)

  • Rug-pull risk via centralized owner functions

  • Fake business performance metrics

  • Loss of trust and DAO incompatibility

After applying the above fix, share_price is mathematically constrained to ≥ 1 wei, eliminating infinite-mint risk

ACTIONS

  • Add investor voting
    Use quorum-based governance for key decisions.

  • Prevent fake sales
    Require CustomerEngine to be DAO-approved and immutable once set.

  • Introduce transparency tools

    • Emit events for debt accumulation and repayment

    • Allow public view functions for investor protection

    • Emit events for debt accumulation and repayment

    • Allow public view functions for investor protection

Severity

Issue Severity Impact

Zero Share Price **Critical **Infinite minting & fund drain

Owner Rug-Pull **Critical **Full liquidity theft

Reputation Manipulation **High **False investor confidence

Financial Manipulation **High **Selective investor harm

Centralized Governance **High **DAO incompatibility

References

  • Consensys Smart Contract Best Practices — Access Control

  • OpenZeppelin AccessControl

  • DAO Security Patterns

✅ Summary

This audit demonstrates that Company Simulator cannot be considered decentralized in its current form.
The combination of owner-only control, mathematical flaws, and unchecked privileges exposes investors to total loss.

Severity: Critical
Recommendation: Immediate refactor before deployment.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.