Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DoS: Attacker May Front-Run CoreFactory.createProject() Or CoreFactory.addCollection() With A collection.id Causing Future Transactions With The Same collection.id to Revert #35

Closed
code423n4 opened this issue Mar 31, 2022 · 1 comment
Closed

DoS: Attacker May Front-Run CoreFactory.createProject() Or CoreFactory.addCollection() With A collection.id Causing Future Transactions With The Same collection.id to Revert #35

code423n4 opened this issue Mar 31, 2022 · 1 comment
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2022-03-joyn/blob/c9297ccd925ebb2c44dbc6eaa3effd8db5d2368a/core-contracts/contracts/CoreFactory.sol#L147-L151
https://github.com/code-423n4/2022-03-joyn/blob/c9297ccd925ebb2c44dbc6eaa3effd8db5d2368a/core-contracts/contracts/CoreFactory.sol#L164
https://github.com/code-423n4/2022-03-joyn/blob/c9297ccd925ebb2c44dbc6eaa3effd8db5d2368a/core-contracts/contracts/CoreFactory.sol#L50-L56

Vulnerability details

Impact

A _collection.id may only be used once in CoreFactory._createCollection() since the the contract is deployed using the create2 opcode with a repeated salt and contract bytecode will fail to deploy a contract. Furthermore, the modifier onlyAvailableCollection will fail if a collection has already been made with that ID.

The result is an attacker may front-run any createProject() or addCollection() transaction in the mem pool and create another createProject() or addCollection() transaction with a higher gas price that uses the same _collection.id but changes the other fields such as the msg.sender which will make them the owner of the contract that is deployed. The original transaction will revert and the user will not be able to send any more transaction with this _collection.id.

The user would therefore have to generate a new _collection.id. However, the attack is repeateable and there is no guarantee this new ID will be used to create a project successfully without the attacker front-running the transaction again.

Proof of Concept

collections[_collection.id] is set in _createCollection()

    collections[_collection.id] = coreCollection;

It also has the onlyAvailableCollection which will cause future transactions to revert.

  modifier onlyAvailableCollection(string memory _collectionId) {
    require(
      collections[_collectionId] == address(0),
      'CoreFactory: Unavailable collection id'
    );
    _;
  }

The use of salt will cause an repeated _collection.id to fail.

    address coreCollection = address(
      new CoreProxy{salt: keccak256(abi.encodePacked(_collection.id))}(
        collection
      )
    );

Recommended Mitigation Steps

One possible mitigation of this issue is to have the collection.id be a hash including the msg.sender and a salt where the salt is a parameter to the function.

bytes32 collectionId = keccak256(abi.encodePacked(msg.sender, salt));

Another possible solution is to use an incrementing collectionId that is stored in the contract and incremented each time a user calls _createCollection(). e.g. the first call to _createCollection() will have collectionId = 1 the second will have collectionId = 2 and so on.

Consider also removing the salt field from the creation of the coreCollection if the contract address is not required to be deterministic. This will use the CREATE opcode rather than CREATE2.

    address coreCollection = address(new CoreProxy{(collection));
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Mar 31, 2022
code423n4 added a commit that referenced this issue Mar 31, 2022
@code423n4
kirk-baird issue #35
835f9a6
@sofianeOuafir sofianeOuafir added duplicate This issue or pull request already exists sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity") labels Apr 14, 2022
@sofianeOuafir
Copy link
Collaborator

duplicate of #26

@deluca-mike deluca-mike mentioned this issue Apr 22, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate This issue or pull request already exists sponsor confirmed Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sofianeOuafir @code423n4