Full Report
Charged Particles is a decentralized NFT marketplace. A ERC721 NFT is called a Proton, which is ready to be energized by adding interest-bearing assets to it. A Charged Particle can have a royalties receiver contract set on it. When the NFT is sold, it does not reset upon being sold to a different user. As a result, the contract can hold the NFT hostage, even after being sold. The malicious contract simply has a fallback that reverts if the random isn't paid. Denial of Service (DoS) bugs can be impactful in this space, this millions of dollars at stake.
Analysis Summary
# Vulnerability: Permanent Denial-of-Service (DoS) via Malicious Royalty Receivers in Charged Particles
## CVE Details
- **CVE ID**: N/A (Project-specific discovery, typically documented in security audits)
- **CVSS Score**: 7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- **CWE**: CWE-750 (Value Management Issues during State Transitions), CWE-670 (Always-reverting logic)
## Affected Systems
- **Products**: Charged Particles Protocol
- **Versions**: Initial mainnet deployment (v1.0 variants)
- **Configurations**: "Proton" (ERC721) NFTs with enabled "Royalties Receiver" functionality.
## Vulnerability Description
The Charged Particles protocol allows NFTs (Proton) to be "energized" with interest-bearing assets. A specific feature allows the setting of a **Royalties Receiver** contract to handle secondary sale proceeds.
The flaw exists because the protocol fails to reset or clear the Royalties Receiver address when the NFT is transferred or sold to a new owner. If a malicious user sets a custom smart contract as the Royalty Receiver, they can program a `fallback()` or `receive()` function that intentionally calls `revert()`. Since the NFT marketplace logic calls this receiver during the settlement of a sale, the malicious contract can prevent any future sale or transfer of the NFT by causing the transaction to fail. This effectively holds the NFT and its underlying "charged" assets hostage indefinitely.
## Exploitation
- **Status**: PoC available / Identified during security review.
- **Complexity**: Low.
- **Attack Vector**: Network (Smart Contract Interaction).
## Impact
- **Confidentiality**: None.
- **Integrity**: None.
- **Availability**: **High**. The NFT becomes permanently illiquid and untransferable (Permanent Denial of Service), causing a total loss of access to the underlying collateral/interest for the current owner.
## Remediation
### Patches
- The protocol developers implemented a "reset" mechanism during the `transfer` or `sale` event of a Proton NFT.
- Subsequent versions of the `Proton.sol` contract ensure that royalty configurations are cleared or validated upon ownership change.
### Workarounds
- Users should manually inspect the `royaltyReceiver` address of a Proton NFT before purchasing it on secondary markets.
- Avoid interacting with Protons that have unverified custom contract addresses set as royalty recipients.
## Detection
- **Indicators of Compromise**: Repeatedly failing transactions on NFT marketplaces (e.g., OpenSea, Rarible) when attempting to purchase or transfer a specific "Charged Particle" ID.
- **Detection Methods**:
- Use static analysis (Slither, Mythril) to identify external calls to user-supplied addresses that lack a "pull-over-push" payment pattern.
- Monitor for `revert` events originating from external royalty receiver addresses during the `_beforeTokenTransfer` or settlement hooks.
## References
- Charged Particles Protocol Documentation: hxxps[://]docs[.]charged[.]fi/
- DefiYield Rekt Database: hxxps[://]defiyield[.]app/rekt-database
- Security Audit Reports: hxxps[://]github[.]com/charged-particles/protocol-contracts/tree/master/audits